Internet2 Network Security SIG

[David Farmer <>]

Also, I think packet fragments, other than the first fragment, are recorded as port 0 in NetFlow data since there is no TCP or UDP header in subsequent fragments. 

On Tue, Jan 8, 2019 at 9:10 AM John Kristoff <> wrote:

On Tue, 8 Jan 2019 14:09:34 +0000
gcbrowni <> wrote:

> Not to pile on too much, but we’re even being UDP port 0 attacks in
> the analysis we’re doing in Deepfield Defender.  Much like 1918, etc,
> UDP port 0 is something that we should never see since its invalid.

It might usually be, but strictly speaking this is not necessarily so,
at least not when it is a source port value.

From IETF RFC 768:

  Source Port is an optional field, when meaningful, it indicates the
  port of the sending  process,  and may be assumed  to be the port  to which a
  reply should  be addressed  in the absence of any other information.  If
  not used, a value of zero is inserted.

In my experience, I seem to only recall seeing source port zero used in
some IP multicast app a long time, I think most apps just set a
non-zero value even if they don't expect a response.

Here is a template I have been using at our borders if it helps any:

  <https://github.com/jtkristoff/junos/blob/master/firewall.conf>

There is very little I can throw away outright, but you'll see the
bogon prefixes I use.  There are some bogus bit combinations that should
be safe to drop for many environments (e.g. deprecated ICMP types and
internetwork IGMP), but there may be corner cases for some networks
where these might be desirable.

John

--

===============================================
David Farmer              
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================