netsec-sig - Re: [Security-WG] Security group highlights - December 2018
Subject: Internet2 Network Security SIG
List archive
- From: Adair Thaxton <>
- To: "" <>
- Subject: Re: [Security-WG] Security group highlights - December 2018
- Date: Tue, 8 Jan 2019 16:02:52 +0000
- Accept-language: en-US
- Authentication-results: internet2.edu; dkim=none (message not signed) header.d=none;internet2.edu; dmarc=none action=none header.from=internet2.edu;
- Ironport-phdr: 9a23:5cWkTR/GnlaPcf9uRHKM819IXTAuvvDOBiVQ1KB21uocTK2v8tzYMVDF4r011RmVBdWds6oMotGVmpioYXYH75eFvSJKW713fDhBt/8rmRc9CtWOE0zxIa2iRSU7GMNfSA0tpCnjYgBaF8nkelLdvGC54yIMFRXjLwp1Ifn+FpLPg8it2O2+557ebx9UiDahfLh/MAi4oQLNu8cMnIBsMLwxyhzHontJf+RZ22ZlLk+Nkhj/+8m94odt/zxftPw9+cFAV776f7kjQrxDEDsmKWE169b1uhTFUACC+2ETUmQSkhpPHgjF8BT3VYr/vyfmquZw3jSRMMvrRr42RDui9b9mRh/2hikaKz43/mLZisJyg6JavB2vqBNwzpXIYI6OLvdyYr/Rcc8YSGdHQ81fVzZBAoS5b4YXE+cOIPxXr4jnp1ATsxW+BROjBezzyj9PgH/9wKo30/89EQHGxgMhEM4OsHPSrNjuNacSV/y1w7fSzTXFcfxWxSnx5JLWfR88vPGBRLR9etffx0koEgPKlFSQqYr9MjOXy+QNtWmb7/J+WuK1kWInrR9+oiS3yscji4nJmoIVyk3f+ilj3Ik1Iti4RUhmatCnCJtdrzyWO5d5T884TGxlujw2x7MItJKhfCUHx4wrywDQZvCdbYSE/w/vWPyMLTp2hn9pYq+zihKw/ES4xO3zSMq53EpPoydAltTDq3IA1xLW58WGVPRy4EKs2TiP2gzP7uxJJF44laTFJ5I/xLM7i4Advl7ZHiDsnUX7lK+WeVsg+uiv8+npeqnrqJiAO4Npkw3zL7wgl8KmDeQ/KQcBQXKX+eOh1L3/5kL5R6hKjvsrnaXDqJDaP8MbprKnDABJzoYj6hG/DzG83NQfgHkHMFZFeBWAj4jqIV3BPPf4DfKnj1Stljdk2ezGM6X8DpnRIXXPirjscLRn50NSxgc/19BS6p1MBrEEOv3zW0vxtNLCDh8+Ngy52/3nCMl91owEVmOPHqiZMKXJvF+J4OIvP/eDZJUTuDnjN/gp+eTigmEkll8AZaWpx4cYaGikHvR6JEWUeWHsjckdHmcXpAo+TfDqiV2bXT9daHa/RKY85jAgCIK6FofPWJqhgL2H3CenAJJWfGZGBU6QEXv2bYmLReoDaD/BavNmx3YfWLO8UY49xFSxuyf7zaZqNOzZ5ndeuJ7+npAh/ODYiAsz6S0xEMu10meRQntyk39SATI6wfYsj1Z6zwKq3aF5mbRkFdVD+/RPGlMhKZ7V3/B9DfjzXB7MZNGEVAzgT9m7V2JiBuktysMDNh4uU+6piQrOinLwWe0ciqCLCZoo86nVw3n2IYNnxm3b0LU61gN2EMpJKWC8gKNjrU7eC5Oa20malqP/c6Ma0WaN8WqY1mOBsQleVxI4SqTKW30TJy605dT070/PVfmiXLIgNAYSyMieJ7FMZ8Gzy1hKWaSrNNHXeWnknWC2CF6Bza+Na4y/fWIb0UC/QEgJmgwe5zCILw87Uyanv2/ECjFyTxTib16//A==
- Spamdiagnosticoutput: 1:0
Yup - I sent this to Grover earlier as a consideration:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB31437&cat=JUNOS&actp=LIST
On 1/8/19 11:01 AM, David Farmer wrote:
> Also, I think packet fragments, other than the first fragment, are
> recorded as port 0 in NetFlow data since there is no TCP or UDP header
> in subsequent fragments.
>
> On Tue, Jan 8, 2019 at 9:10 AM John Kristoff
> <
>
> <mailto:>>
> wrote:
>
> On Tue, 8 Jan 2019 14:09:34 +0000
> gcbrowni
> <
>
> <mailto:>>
> wrote:
>
> > Not to pile on too much, but we’re even being UDP port 0 attacks in
> > the analysis we’re doing in Deepfield Defender. Much like 1918, etc,
> > UDP port 0 is something that we should never see since its invalid.
>
> It might usually be, but strictly speaking this is not necessarily so,
> at least not when it is a source port value.
>
> From IETF RFC 768:
>
> Source Port is an optional field, when meaningful, it indicates the
> port of the sending process, and may be assumed to be the
> port to which a
> reply should be addressed in the absence of any other
> information. If
> not used, a value of zero is inserted.
>
> In my experience, I seem to only recall seeing source port zero used in
> some IP multicast app a long time, I think most apps just set a
> non-zero value even if they don't expect a response.
>
> Here is a template I have been using at our borders if it helps any:
>
> <https://github.com/jtkristoff/junos/blob/master/firewall.conf>
>
> There is very little I can throw away outright, but you'll see the
> bogon prefixes I use. There are some bogus bit combinations that should
> be safe to drop for many environments (e.g. deprecated ICMP types and
> internetwork IGMP), but there may be corner cases for some networks
> where these might be desirable.
>
> John
>
>
>
> --
> ===============================================
> David Farmer
> Email:
>
> <mailto:Email%>
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE Phone: 612-626-0815
> Minneapolis, MN 55414-3029 Cell: 612-812-9952
> ===============================================
- [Security-WG] Security group highlights - December 2018, Adair Thaxton, 01/07/2019
- Re: [Security-WG] Security group highlights - December 2018, Brad Fleming, 01/07/2019
- Re: [Security-WG] Security group highlights - December 2018, Michael H Lambert, 01/07/2019
- Re: [Security-WG] Security group highlights - December 2018, Adair Thaxton, 01/07/2019
- Re: [Security-WG] Security group highlights - December 2018, gcbrowni, 01/07/2019
- Re: [Security-WG] Security group highlights - December 2018, David Farmer, 01/07/2019
- Re: [Security-WG] Security group highlights - December 2018, gcbrowni, 01/08/2019
- Message not available
- Re: [Security-WG] Security group highlights - December 2018, John Kristoff, 01/08/2019
- Re: [Security-WG] Security group highlights - December 2018, David Farmer, 01/08/2019
- Re: [Security-WG] Security group highlights - December 2018, Adair Thaxton, 01/08/2019
- RE: [Security-WG] Security group highlights - December 2018, Spurling, Shannon, 01/08/2019
- Re: [Security-WG] Security group highlights - December 2018, Jesse Bowling, 01/08/2019
- Re: [Security-WG] Security group highlights - December 2018, David Farmer, 01/07/2019
- Re: [Security-WG] Security group highlights - December 2018, gcbrowni, 01/07/2019
- Re: [Security-WG] Security group highlights - December 2018, Adair Thaxton, 01/07/2019
- Re: [Security-WG] Security group highlights - December 2018, Michael H Lambert, 01/07/2019
- Re: [Security-WG] Security group highlights - December 2018, Brad Fleming, 01/07/2019
- Re: [Security-WG] Security group highlights - December 2018, David Farmer, 01/08/2019
Archive powered by MHonArc 2.6.19.