IETF Logo Mail Archive

Re: Blocking packets from suspicious ports

Mirja Kuehlewind <mirja.kuehlewind@ericsson.com> Thu, 05 May 2022 12:49 UTC

Return-Path: <mirja.kuehlewind@ericsson.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 287CAC15E40B for <quic@ietfa.amsl.com>; Thu, 5 May 2022 05:49:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.672
X-Spam-Level:
X-Spam-Status: No, score=-7.672 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.575, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J-cJHCQ8K4fW for <quic@ietfa.amsl.com>; Thu, 5 May 2022 05:49:55 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on20618.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1a::618]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B39EC14F72A for <quic@ietf.org>; Thu, 5 May 2022 05:49:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GqFVwb6pqWtY+OtrHIobVyniiog7Qzvh22rbPvdSqNPMaSdLhGBK5WoGsjyKzMcTNCuaT25LZgw56TX07l9lApWrMInyslZAL1lfRzPprUSKX04rCxhrG2MUjeFDgF3l6A6hJIPfex+i5XSrmx7V/PhcC7hdA0GwY64PSTU8wKfnssqDuN65C+85k8hpSbWujgv6wFfPrwnyIt/b26i07w2iyIXHLgx4q2onLsxF5BQM2J1LKC3MyCmMcgnp9hqD95+okU6l/P0fQT6vncsbqUIYnjnl77c1fqoCoPZV7pgYwIvuZSDeS/ZvXjeTjO9TIqoLXSWVEHcNgg2YSvngnQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=HRTsqLO0nXdgCwOBBDtVPYijrQivjPGYsn0ijPJMhKo=; b=j0lxZnO0NaI6Da1QJeClRpSYSFfV7BDow6LA908UhXyKbtGduSHJviyPtQxRz7O/PTJO00v0+gpXetWFNJWWTrLFRcFEGGtlzmJTPLuZAlTq7ua+3f4Augzr6tGUrbP6PDxiAXeTo2vQhYzF2oKHr1FGQL0fKjUu/LLYlfwAffuz679Ji/Vi7hjWUVHYYQi+3d/K+GNUP4I5PNfmeCGhZyFYEyJMr+cJ950Q4/J8bLwcBxKNqmYwY0Grq42xmB3liuyvO0EyCD+Lv9w+Eo8Rca0dcqFZ4agdMfrJTyIhia6hR0IlFj3lVjaxf7s19ux3eB+TN2plBPjGBQaJZQMTQQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HRTsqLO0nXdgCwOBBDtVPYijrQivjPGYsn0ijPJMhKo=; b=swiJxM9HIfFmWliXLX9QPnCsJMGiNxscPH4LyaP19t4OGfVYTpPk7nAzSTsLgo87QtBjkNI8WskAThD0e4dLe+UgT2ChNylwFJVwrjjP6CCgtIPxQXZQt56is7ujR7R2vr3V+XeUJiupZOLkO4jQ4IhASbkUyXwNAVJEx9HVCNo=
Received: from PAXPR07MB7806.eurprd07.prod.outlook.com (2603:10a6:102:13a::19) by PA4PR07MB7536.eurprd07.prod.outlook.com (2603:10a6:102:c5::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5206.6; Thu, 5 May 2022 12:49:49 +0000
Received: from PAXPR07MB7806.eurprd07.prod.outlook.com ([fe80::694a:d09c:33eb:8827]) by PAXPR07MB7806.eurprd07.prod.outlook.com ([fe80::694a:d09c:33eb:8827%6]) with mapi id 15.20.5227.016; Thu, 5 May 2022 12:49:49 +0000
From: Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>
To: Christian Huitema <huitema@huitema.net>, Willy Tarreau <w@1wt.eu>
CC: IETF QUIC WG <quic@ietf.org>
Subject: Re: Blocking packets from suspicious ports
Thread-Topic: Blocking packets from suspicious ports
Thread-Index: AQHYXmNutymS6bt20kShRtm3gSWutq0MGgKAgABjj4CAAWVyAIAAOb+AgAAe5YCAAA72AIAAleoAgAGBbgA=
Date: Thu, 05 May 2022 12:49:49 +0000
Message-ID: <2041D362-BADA-4585-933F-2A9555FEAE94@ericsson.com>
References: <6830cf87-e1b6-14bb-7b10-9341fdb6d941@huitema.net> <1b686f1e-912d-5c02-cf5f-a8afbdd924bb@redbarn.org> <20220503032335.GB20878@1wt.eu> <e8c90e2b-e0f1-82ca-8243-2b41412de513@huitema.net> <20220504040937.GA25251@1wt.eu> <c29d88ab-20f2-45d3-6398-bbc5be8e7246@huitema.net> <20220504065344.GA26036@1wt.eu> <f42eb3ea-9db4-e425-290b-f73731cea08f@huitema.net>
In-Reply-To: <f42eb3ea-9db4-e425-290b-f73731cea08f@huitema.net>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.48.21041102
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d8781b0e-9b82-4c7f-5e44-08da2e95bd96
x-ms-traffictypediagnostic: PA4PR07MB7536:EE_
x-microsoft-antispam-prvs: <PA4PR07MB7536C740C05DA8D51D002D1AF4C29@PA4PR07MB7536.eurprd07.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4u5rDsKoKJ1qks6DaDjFcvsv1Xs8Mr9qom8VhZIvmITLy+AT+DhfIwYHhoCjBDuI7BpdcvqWOtHjmR0RAXBOyw671ifCg598WByJuGGuh5g4FempL/ZUS1UImxsUeXQSqxLi9Pol0pnIckbBEAwr3SN5N3E1qraOo3XoM+U/PwmHZ99Fe1wfjP7PG/aWHlFl7p+qTDE28pwMRZEjcCyiNMeqACMq7b3L/+UatbKMXus7YatnyYPnPkv/tMaNQEoknmopMATOFg/DUxy2bg9eVihWYRSbKZziHCvfohtEllxjvpJIfKEyCi0/GGx5K5UV8E7siCbUJASN5MuIPLvO4WlkFn/Q7ABC0qDiJpH5wRqAEf/62uBjbjF16Qdquv3YxW2vWtiW6KzQlyKhcyYHT5x6AuRB12rFP14yJdaJTsdwSdLtEOS1Sd8jeMZHTlIjhWEP9fNiqmxAFaJTpvrHWVXJgYpc2Z/3gPz8NRRnrbNDL4v+LJuTaafsgrDKbbB8W849+fOKFZcnOmavp2sLmHccTXDyqxF4k5PmGV6yK/3ttTMglEkXOkph2xnG2/vaCpy+r88pggc3xbiDA6NezagpSQcuj2keFvFXpF7wSNLLUVD3teRifYla2midu1JPCH//djTUju2O184+nxrPbrgjDRaiWsRunfJ3PcA+55XYvMAhWbBMw8t0KugZAhme0eUdwjYMTYiiGdWvIdv5W5XZ/ctB5xsKBDUW4g/dm3WHpRe4JlTL0UJ4ukXcSh78kPSeXSna3C0EGa6kzyd6BdVudW80ilkZ7chxmk3WpXqU0tUxNCkkPY5oJ1GR8xQY7GurmM6JItWEN25InP9GPV5ZsN2CODhMjWJ8ajpAV3LmMArQNOOfa8QRi1ryT7++poFDFkUxvHZOZ5vjGqdR6g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PAXPR07MB7806.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(2906002)(5660300002)(71200400001)(33656002)(66476007)(66446008)(66556008)(64756008)(91956017)(508600001)(76116006)(38070700005)(4326008)(8936002)(8676002)(66946007)(38100700002)(122000001)(6486002)(966005)(44832011)(82960400001)(186003)(66574015)(26005)(2616005)(36756003)(86362001)(110136005)(83380400001)(316002)(6512007)(6506007)(53546011)(99724002)(781001)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 8cgwGscrImBSXjEwUSmXO8rwMzc9UsUAyROZUhy0ZbxlsEyo+FVl1Yzq8/3xbPMsIm1D7d0jaJDR7kTFXv0adGJfTeTySlxIbD76rKrCFnOZOFg7QcEvd1bi25lMtB0KDwXPQE6g0YlxgMa0bN7RNOV84xPZdDVns23Qr0k0wlPeTbzz4tzfQdRz1EK4P5QZXLmYWRPbB2C+QeYDo0Vprx6YW6pI7NA/3TJMHPrVgDBo3TXbYabwJGj1Zd4SQ+aVQYukKTzDKna2Br5L1z3ViFVJcpMI+DwX8eiHcJBNeOLyPNoAPHpBpHIX440KX2SGByy5sNmPc2CfE2JvEBBMmlqh4+XXT0QUnJUQ4/s4YZqVzdPfzGwdJ6NUXe4uJDHT7rzUY7JUYuarLBSYYD0ffS5o2xcWPt1rMXCpk6sB7g/YGnPbsB246zaGaRBa182uffz7B8xv+HTMXDL7luMzWR7RFhSv5DEnD4C4pOWC13x22WofnGrM77PE81o41EBgFoHVAN7IyfGoeM6qZGcGEdD+HyVSM6jcwHz40Pmmd68lGJkHC0q5VdNbUYG2wntke4u/AjGCmx8ZyBcmEt9u4g5mXElhb/8IAlF9jOsALuc2Yqin0AJ0CizKsLE5YMRNmS0hMbzc8+BMXToYCtTSEJiU2cvnvchH/V+GeKG3IxnQUt5KpliQSZZM1qTFhEAcPbNPuu1Oyy5PBR0oO+7mTF37kFfEqtbVGWhVcSw01qCvjg+fw17fFDkLVsHZBmMGL0rnmtSU80Bxg7lfyQLXDG4/wza423O5zrrXkMI/sRvfbqttaxpOx9rDdclwzyVGFfMH2tBGNa75jte6lusY67D0/K1eyBM7tAC7nh3oL9eAn62rFBIM8bv+8QUTXEP9Yw4nYpr1aWKEVEg7kJfpaEDTvgUY7A6T687UU4Wzf42zP7MaSUQY8nnaZOYBMl2KZaudb9FznXG5CATQkkdton5c/ORV4pA4WuI1vwiv4SyCeBE5hgFjb4yATPLji9N2Xywm1nbabxHPkAfIDSahXhwBZpbSvmqvlM0yYEzAwm1Kd9JC2UQ+BXBVdkehll5wKZ0xq25Jfj7YqWzf4JLjODFhOOCEov/t0PXZZUlVq6PiLnOqsDwZaXr9Dkpm0iHq4Z8BNOcrKWAcFK0gkVzIZXe76UUBeqiX8XP28cPOLG443aOZBU0RPg/Zc2yu6RC5jPz9FzgfPWxkWcZEI+nlzufnv+mBAixQ/hXfVLO9OtA3sm0C46/e8Mnn/EnDCv21LuQ2PEZaFVvmr2zFa93OxtOeUrQtje0GL7P8LoF7q01AbpXnptx0L9fdE1SW4T6jEhpQhQeUqhVZ+hih6cQBfZJRvvRKYm7JOrsb364QTCTWcfvvqGeyOLUPpgR0ZNFGl7Iu1kzgDdS/a6nvXI+OCksyhsjukBma4IfRVrRBpKVfyZgAKHIUMGTda/ZpVY/IlVPvBTUAho5Yt1/XBn/gM3ogPpzsNDNV3hQeCe6YeEL6/N1CGrygGhxbt8QBlPSkASeaarSopBlNQQPq863gE7HW1ocx9CKHYZPxHKkDQXASzAjp+2jec/gpcCjScFBxX3NdisUNiuLwqNJSYvjkx7zxLKd3RrwP85Lin6/g2RTp0dazTPbRqP/TqMk6d3ubgVcsoeSN4LM51J+24gSpP3vRTMgcZN7QCl72eUZP+kDzlmajWnY7lKH9jTuKGTbljriD6daFzApTXSlyt//ql1xN9/yrSvNuoaPPNPMXu/ViPiOr5wgaZnXwHHamun9E
Content-Type: text/plain; charset="utf-8"
Content-ID: <7CBAD00B5D8CD149BE9177010CCDBA82@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PAXPR07MB7806.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d8781b0e-9b82-4c7f-5e44-08da2e95bd96
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 May 2022 12:49:49.1943 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: basrvFNDdb9GDSwXuHPEzV+niOZVOxk1x6DuSTUkmszgw5xVdzg4JUarWdF8uakxaWYErwYt7OBMi69nANrFWF8+RiMY1x6oEL0oxvVCh24=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR07MB7536
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/wQShroN4IwCG6cegTSsBB3mCL6U>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 May 2022 12:49:59 -0000

Hi, as you mention the manageability draft... there is quite some relevant text in there.

E.g. there is a section on first packet identification:
https://www.ietf.org/archive/id/draft-ietf-quic-manageability-16.html#name-first-packet-identification
which mainly says there is not much you can do but it's discussed.

Also note that recommendations how to deploy QUIC are in scope for the applicability statement (not manageability) and that document e.g. as a section source part selection:
https://www.ietf.org/archive/id/draft-ietf-quic-applicability-16.html#name-source-port-selection

However, I think there are also various things you have discussed below that are not QUIC specific and therefore probably don't really belong into any of the two docs (but there is always a change to write another one).

Mirja



On 04.05.22, 17:51, "QUIC on behalf of Christian Huitema" <quic-bounces@ietf.org on behalf of huitema@huitema.net> wrote:


    On 5/3/2022 11:53 PM, Willy Tarreau wrote:
    > On Tue, May 03, 2022 at 11:00:11PM -0700, Christian Huitema wrote:
    >> QUIC includes a feature to facilitate moving a connection from an anycast
    >> address to a unicast address. The client finds the anycast address through
    >> the DNS, contacts the server, learns a "preferred server address" during the
    >> handshake, and tries validating that preferred address before using it for
    >> the rest of the connection duration, without risk losing the connection to a
    >> routing event that redirects anycast to a different server. Which is nice,
    >> but of course a villainous server could feed a bogus preferred address.
    >> That's the client bounce for you. All the server packets before the bounce
    >> are sent with the expected 5 tuple. And of course the "preferred address" is
    >> sent using encrypted packets.
    > Ah, I wasn't aware, seen like this, that's fun. Well, I guess the client
    > will try to connect to the new address with some info allowing to identify
    > the origin server (e.g. SNI), thus allowing a QUIC decoder/server at that
    > address to spot where the client found the address, no ?

    Everything is encrypted, except for a few bytes in the packet header 
    that carry a connection identifier, i.e., an octet string chosen by the 
    server. The server provides the client with a list of those; if needed, 
    that list is known by the load balancer at the server side, so the LB 
    can forward the packet to the right server in the farm. The encryption 
    key is specific to the connection, so only the right server can respond.

    >>> There *will* inevitably be some problems at the beginning, but one good
    >>> thing is that solutions are reasonably simple, can instantly be deployed
    >>> in field using port filtering, and will quickly land in the code itself
    >>> because the various stack authors have full control of their code.
    >> Port filtering at the edge will not catch the "preferred address attack" in
    >> which the server proposes a non-anycast address to the client, so I guess
    >> QUIC stacks will have to protect that. As in, if a server says "please move
    >> the connection to 10.0.0.1:53", the client should just decline and stick to
    >> the anycast address. And yes, using a configurable list makes sense.
    > Yes, that's a good point, I agree. I think quite a bit of the burden will
    > be on the clients' shoulder. It reminds me the good joke we had in the 90s,
    > creating a "warez.<domain>" DNS entry pointing to 127.0.0.1. I've personally
    > seen someone trapped and saying "what, they stole'my data!" after ftping
    > there :-)
    >
    >>>> Yes. Should that really be "per source port" or "per source IP + port"?
    >>> Per port should be sufficient. There's no reason from the server side that
    >>> multiple clients collectively decide to use the same source port to send
    >>> legit traffic. And using the port alone will allow to quicky detect a new
    >>> internet-wide attack coming from a randomly vulnerable service (IoT
    >>> gateways, ToIP etc) regardless of their address. I don't know how this
    >>> would be distributed, but I guess that if a source port is responsible
    >>> for 100 times more traffic than all other one combined, it will usually
    >>> be a good indicator that you don't want to deal with that traffic anymore.
    >> I would expect quite a bit of legit server-to-server traffic on ports 443 or
    >> 853,
    > I think that's exactly the thing we must avoid. Encouraging (or even
    > allowing) this is exactly what will make it impossible for infrastructure
    > to defend itself against massive attacks. There's no value in using the
    > same port on both sides. The savings of sockets and source ports are
    > already enormous, going from N to 1 from TCP to QUIC, if an agent needs
    > to make outgoing connections, it certainly can afford a second socket,
    > which is nothing compared to the hundreds of thousands it would have used
    > in TCP. Not being willing to do that is putting the internet at risk. For
    > example among the protections you usually find at the edge is the blocking
    > of a TCP SYN packet from a source port below 1024. A few services in the
    > past (rlogin, rsh) used to bind to ports 512-1023 to "prove" that the
    > user ID was authenticated by the local OS, but that's never seen over the
    > net. One service has caused trouble to this, active FTP with source port
    > 20, and rules which were a bit too lax used to allow it to connect to any
    > service (e.g. SMTP) thereby allowing to use FTP servers to send spams by
    > retrieving files that contained SMTP protocol contents. This has
    > contributed to making active FTP unpopular, and nowadays it has become
    > safe to block SYN from sources < 1024 at the edge. UDP doesn't have such
    > a thing as a SYN flag and it's critical that traffic cannot be made
    > symmetrical, or there's no more infrastructure filtering and only
    > application level filtering.

    Too bad that nobody discussed that during the review of 
    https://datatracker.ietf.org/doc/draft-ietf-quic-manageability/, that 
    could have been a nice place for such considerations.

    It seems that we really need to write all these recommendations in a 
    draft. Services that are peer-to-peer in nature would tend to use a 
    single port.Same for QUIC stacks. It is a little bit easier to use a 
    single socket than to force outgoing connections on a single socket. If 
    we want them to use two separate ports, we have to explain convincingly.

    On the other hand, I think we are past the "port below 1024" rules. For 
    example, memcached is on port 11211, MDNS on port 5353, and there are 
    many more like that.

    >> but yes, keeping a dynamic list of most abused ports makes sense.
    >> Although that's mostly an issue for volumetric attacks, and host based
    >> defenses are not too efficient there, but still it feels better than just
    >> receiving the attack and waiting until it stops.
    > Definitely.
    >
    >>>>> I think we'll discover new fun things over time and will learn new
    >>>>> attacks and workarounds as deployments grow.
    >>>> I have not heard of actual attacks "in the wild", but who knows...
    >>> It's too early, stacks are still evolving and the level of deployment
    >>> is not high yet. That doesn't mean nobody is trying to elaborate new
    >>> attacks. For example yesterday on my home servers which do not advertise
    >>> QUIC I received one short packet from port 443 to port 443 from a host
    >>> named "scanners.labs.something", and a 1238-byte one from a random port
    >>> to 443 from a host named "scan-19a.somethingelse". Thus it shows that
    >>> studies are already in progress. We just need to be patient :-)
    >>
    >> We probably will not have to wait too long...
    > I hope so. It's important to get real-world feedback on protocols early
    > enough to allow them to improve. It's especially important right now that
    > any QUIC site can fall back to H1/H2 over TCP so it's easy to just block
    > it in case of massive failure. If big problems are reported only 10 years
    > after deployment it will be much harder to disable it in emergency.

    Yes, but out of our control...

    -- Christian Huitema

v2.23.0 | Report a Bug | By Email