Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] Security group highlights - December 2018

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] Security group highlights - December 2018


Chronological Thread 
  • From: Jesse Bowling <>
  • To: "" <>
  • Cc: gcbrowni <>
  • Subject: Re: [Security-WG] Security group highlights - December 2018
  • Date: Tue, 8 Jan 2019 21:46:27 +0000
  • Accept-language: en-US
  • Authentication-results: mail-gw.oit.duke.edu; spf=none ; dmarc=none
  • Ironport-phdr: 9a23:OEvNZxAExUbmzVfnAD+HUyQJP3N1i/DPJgcQr6AfoPdwSPTzpcbcNUDSrc9gkEXOFd2Cra4c26yO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fcbglUhzexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Xymp4aV2Rx/ykCoJNyA3/nzLisJ+j6xbrhCuqRt+w4HIb46YL/V+cr/Yfd4ARWpNQsRcWipcCY28dYsPCO8BMP5coYbjvFsOtgWxDhSxCePoxD5Ign723as10+88FgzG3hIvH8kVsHvKttn6L6ASUO6xzKnJyzXDYOhb1irg6IjLbB8tu++DUq9tccfIz0QkCg3LjlKVqYP/PjOV0PwAs2ea7+p8VeKvlnUopxttrTiow8chjJTCiIENyl3c6Cl0wJg5Kce2RUJhfNKpE59duzuEO4Z4Rs4uW3xktSYkxrEct5O3ZiYHxZs9yxPfZPGLa4aI7QzgWeqNJDp1gXFodbG9ihux9EWgxO/xW8ap31tPridInNjBuW4I2hHc9MeIVuFy80G80jiVzQ/T8PtLIUUsmKrbNZEhxrkwm4IWsUvZHy/2nFz6jKCYd0k95+Sl5f7rYrLnpp+ALYN7lxz+MqcwlcClH+s3LxUOU3Ca+eS6yrLj4VX0TKhKg/EoiKXUvorWKdkYq6O9GQNZzIgu5hKnAzejytsYnH0HLFxfeBKAiojkI1POL+7jDfeknVugiixkx/fIP73lA5XNKHfDnaz8crZg6E5T1hA/ws5C6JJJEr0BOu78WlfttNzECR80Kxe0zPj7B9VgzIMeWH6PA6+APKLcvl+F/eYvI+iXZI8JozbxNeIp5//ojX8lh1AdZ6+p0oULaHymBPhpPViWYWe/yusGRC0RswEjVu32mRidXhZSYWq/RaQx+mt9BY67R8+XXY2mnaaAwDb+AZJ+Z2ZaB0qKHGuyMYiIRqFfRjiVJ5pDnycfWPCLTJAl1Beh/Fv4xqF8I6ze/TIctJTs/NRo5OCVmB0vo28nR/+B2n2AGjkn1lgDQCU7ifgl+x5010uD3K5kgvdRCd1U4bZTXxwnMYLHn7coDtnzXkfOYZGOSUrgTsilDHc8Qs9ipr1veF5zTtOliB2LxC+2G/kQnr2PCoYz9/fe0mPqKoB3zGnC1a8up1U7QcYJOGG71csdlgTWDpTCxkOekaun
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99
This prompted me to look into my own network for “port 0” traffic. I found
quite a bit that Argus labeled as “port 0”, particularly from one host. In
the end, this host was running an open DNS resolver configuration, and was
being lightly abused as part of a reflected DDOS.

Interesting things of note for me: the use of requests for usadf.gov to get
their multiplier, the fact that the software chose to fragment the reply even
though (I thought) typical process would be to force use of TCP since the
answer wouldn’t fit in a standard sized packet (although this option seen in
the attacks gives a clue: OPT UDPsize=9000).

Another interesting note was how argus and tcpdump treated the traffic…Argus
accepts the filter “port 0” and reports on the flows with fragments. TCPdump
does NOT seem to treat the fragmented UDP traffic as “port 0” which is
interesting (and likely just as correct, if a bit misleading to the admin I
asked to check for port 0 traffic initially).

Thank you all for this discussion! I love this idea around the 1918 space, as
well as the other reserved space. I suspect that the additional reserved
space has some holes (in terms of local ACL’s allowing in/out traffic) and a
“one pager” on these addresses, how to check for valid/invalid traffic using
them locally, etc. might be well received.

Cheers,

Jesse

> On Jan 8, 2019, at 11:08 AM, Spurling, Shannon
> <>
> wrote:
>
> We have run into many fragmentation scenarios for VoIP and Micro Cell
> setups, where port 0 traffic is part of the fragments being detected by
> access list and Netflow. Most of those use UDP as transport.
>
> Shannon Spurling
>
>
>
> From:
>
>
> <>
> On Behalf Of David Farmer
> Sent: Tuesday, January 8, 2019 10:02 AM
> To:
>
> Cc: gcbrowni
> <>
> Subject: Re: [Security-WG] Security group highlights - December 2018
>
> Also, I think packet fragments, other than the first fragment, are recorded
> as port 0 in NetFlow data since there is no TCP or UDP header in subsequent
> fragments.
>
> On Tue, Jan 8, 2019 at 9:10 AM John Kristoff
> <>
> wrote:
> On Tue, 8 Jan 2019 14:09:34 +0000
> gcbrowni
> <>
> wrote:
>
> > Not to pile on too much, but we’re even being UDP port 0 attacks in
> > the analysis we’re doing in Deepfield Defender. Much like 1918, etc,
> > UDP port 0 is something that we should never see since its invalid.
>
> It might usually be, but strictly speaking this is not necessarily so,
> at least not when it is a source port value.
>
> From IETF RFC 768:
>
> Source Port is an optional field, when meaningful, it indicates the
> port of the sending process, and may be assumed to be the port to
> which a
> reply should be addressed in the absence of any other information. If
> not used, a value of zero is inserted.
>
> In my experience, I seem to only recall seeing source port zero used in
> some IP multicast app a long time, I think most apps just set a
> non-zero value even if they don't expect a response.
>
> Here is a template I have been using at our borders if it helps any:
>
> <https://github.com/jtkristoff/junos/blob/master/firewall.conf>
>
> There is very little I can throw away outright, but you'll see the
> bogon prefixes I use. There are some bogus bit combinations that should
> be safe to drop for many environments (e.g. deprecated ICMP types and
> internetwork IGMP), but there may be corner cases for some networks
> where these might be desirable.
>
> John
>
>
> --
> ===============================================
> David Farmer
> Email:
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE Phone: 612-626-0815
> Minneapolis, MN 55414-3029 Cell: 612-812-9952
> ===============================================

--
Jesse Bowling
ITSO::Security Architect & CSIRT Program Manager
jesse.bowling[AT]duke.edu::919-660-1073
334 Blackwell St::Durham, NC::27701

Attachment: smime.p7s
Description: S/MIME cryptographic signature


Archive powered by MHonArc 2.6.19.

Top of Page