Skip to Content.
Sympa Menu

netsec-sig - RE: [Security-WG] Security group highlights - December 2018

Subject: Internet2 Network Security SIG

List archive

RE: [Security-WG] Security group highlights - December 2018


Chronological Thread 
  • From: "Spurling, Shannon" <>
  • To: "" <>
  • Cc: gcbrowni <>
  • Subject: RE: [Security-WG] Security group highlights - December 2018
  • Date: Tue, 8 Jan 2019 16:08:33 +0000
  • Accept-language: en-US
  • Ironport-phdr: 9a23:nqblcRHek4azKp3TtfhXhJ1GYnF86YWxBRYc798ds5kLTJ7zosiwAkXT6L1XgUPTWs2DsrQY07qQ6/iocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbAhEmDmwbaluIBmqsA7cqtQYjYx+J6gr1xDHuGFIe+NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PGAu+MLrrxjDQhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/VDK/5KlpVRDokj8KOT4n/m/Klsx+gqFVoByjqBx+34Hbb5qYO+BicqPfZ94WWXZNU8RXWidcAo28dYwPD+8ZMOpWsof9v0YOrQG6BQmtAuPvxSdEjWLr0606yeshFwfG3AsmH94ArX/Zq871NKcIXuCzyqnIyjPDYuhT2Tf68ojHbAotofeSUrJsaMfcz1QkGQ3CjlWVs4PlPjWV2/wCs2ia8+pgVf+vhHU9pw5tpTivw8EhgZTKiIIN0l3I6CF0zYUvKdGmVEJ2ZcSoHZRUui2AKYd7TM0vT3l2tComyLAKo4O3cSkWxJg92hLSZfKKf5KM7x/sTOqdPDN1iXF/dL6hmxq/9VKsx+39W8WuzVpHqixImcTWuH8XzRzc8M2HR+N9/ki/3TaP0Bje6vxBIUwtk6rbKoYhz7AqmpoOtETPBDL2mEDtjK6WbUUk5van6+H9brr4u5CcKpd4igD4MqswhsyyGfk0PwwNUmSB5+iwyLnu8Vf2TbhOlPE6jKfUvZ7CKcQevKG5AgtV0og56xa4CjeryM8YnXkdI1JDfhKHiI7pNkrLIPD/F/ewnU6gkDF1yPDaJrHhGInCLmDfkLf9erZw81VcxxQvwtBC/ZJUC60BIfLqVk7/u9zVFRs5Mw2vw+b7E9VxyJkSWWOJAq+FLqzSq1mI6fwzI+WSfoMapivyK+V2r8Lp2DUilFQAZ6i1zN4IZ1i5GOhrOUOUfSCqj9scWy9epQc1UfbrlEzHTjF7ZnCuUrg66y1hTo+qENGQaJqqhenL5z+mBJlXYG8CQmuMGHHucIPOE6MXaCuUJMhnujkDT7XnTYI9g0L9/DTmwqZqe7KHshYTsojugYB4

We have run into many fragmentation scenarios for VoIP and Micro Cell setups, where port 0 traffic is part of the fragments being detected by access list and Netflow. Most of those use UDP as transport.

 

Shannon Spurling

 

 

From: <> On Behalf Of David Farmer
Sent: Tuesday, January 8, 2019 10:02 AM
To:
Cc: gcbrowni <>
Subject: Re: [Security-WG] Security group highlights - December 2018

 

Also, I think packet fragments, other than the first fragment, are recorded as port 0 in NetFlow data since there is no TCP or UDP header in subsequent fragments. 

 

On Tue, Jan 8, 2019 at 9:10 AM John Kristoff <> wrote:

On Tue, 8 Jan 2019 14:09:34 +0000
gcbrowni <> wrote:

> Not to pile on too much, but we’re even being UDP port 0 attacks in
> the analysis we’re doing in Deepfield Defender.  Much like 1918, etc,
> UDP port 0 is something that we should never see since its invalid.

It might usually be, but strictly speaking this is not necessarily so,
at least not when it is a source port value.

From IETF RFC 768:

  Source Port is an optional field, when meaningful, it indicates the
  port of the sending  process,  and may be assumed  to be the port  to which a
  reply should  be addressed  in the absence of any other information.  If
  not used, a value of zero is inserted.

In my experience, I seem to only recall seeing source port zero used in
some IP multicast app a long time, I think most apps just set a
non-zero value even if they don't expect a response.

Here is a template I have been using at our borders if it helps any:

  <https://github.com/jtkristoff/junos/blob/master/firewall.conf>

There is very little I can throw away outright, but you'll see the
bogon prefixes I use.  There are some bogus bit combinations that should
be safe to drop for many environments (e.g. deprecated ICMP types and
internetwork IGMP), but there may be corner cases for some networks
where these might be desirable.

John


 

--

===============================================
David Farmer              
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================


Archive powered by MHonArc 2.6.19.

Top of Page