Discussion:
[j-nsp] Block port 0 traffic
Wei Keong
2004-10-13 11:54:06 UTC
Permalink
Hi,

We observe quite a bit of traffic surge, from src port 0 to dst port 0.
We tried to use the filter below, but the traffic is still able to pass
through. Has anyone seeing the same attack lately? Is there a bug in Junos
5.6?

term deny-port-zero {
from {
protocol [ tcp udp ];
source-port 0;
destination-port 0;
}
then {
count deny-port-zero;
sample;
discard;
}
}

Thanks,
Wei Keong
Richard A Steenbergen
2004-10-13 17:32:38 UTC
Permalink
Post by Wei Keong
Hi,
We observe quite a bit of traffic surge, from src port 0 to dst port 0.
We tried to use the filter below, but the traffic is still able to pass
through. Has anyone seeing the same attack lately? Is there a bug in Junos
5.6?
term deny-port-zero {
from {
protocol [ tcp udp ];
source-port 0;
destination-port 0;
}
then {
count deny-port-zero;
sample;
discard;
}
}
You aren't actually seeing port 0 traffic, you're seeing fragmented IP
packets without a L4 header, which shows up as src/dst port 0 in "show
firewall log" and such. Common question, it might be helpful to put some
indicator so users can tell the difference.
--
Richard A Steenbergen <***@e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Richard A Steenbergen
2004-10-13 20:04:20 UTC
Permalink
Post by Richard A Steenbergen
You aren't actually seeing port 0 traffic, you're seeing fragmented IP
packets without a L4 header, which shows up as src/dst port 0 in "show
firewall log" and such. Common question, it might be helpful to put some
indicator so users can tell the difference.
This can be a bit of a problem if you are filtering based on layer-4
port. Apparently Junipers match the bit offsets for layer-4 ports
against IP fragments -- so, if you are blocking a given port you can
blow away portions of legitimate fragmented IP packets, if the data
in the packet happens to match whatever port you are blocking.
The way around this is to allow frags that are not the first frag
through before your port blocks.
IIRC the documentation states that layer 4 information like ports are
matched against by offset without checking for protocol, thus you are
encouraged to remember to include "from protocol [ tcp udp ]" and/or
is-fragment in your firewall terms.

The not so well known corollary is that ports will show up as 0 on a
non-initial fragment, with no other indication to the confused end user
that this is a fragment vs a packet with ports 0 configured (other than
the mysterious non-matching filter of course :P).
--
Richard A Steenbergen <***@e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Wei Keong
2004-10-15 02:39:07 UTC
Permalink
Hi Richard,

Actually we found this in cflow. Src port 0, Dst port 0, protocol udp.
With the filter below, there is matches, but we still see the same traffic
in clow. Is this the fragmented packet?

Thanks,
Wei Keong
Post by Richard A Steenbergen
Post by Wei Keong
Hi,
We observe quite a bit of traffic surge, from src port 0 to dst port 0.
We tried to use the filter below, but the traffic is still able to pass
through. Has anyone seeing the same attack lately? Is there a bug in Junos
5.6?
term deny-port-zero {
from {
protocol [ tcp udp ];
source-port 0;
destination-port 0;
}
then {
count deny-port-zero;
sample;
discard;
}
}
You aren't actually seeing port 0 traffic, you're seeing fragmented IP
packets without a L4 header, which shows up as src/dst port 0 in "show
firewall log" and such. Common question, it might be helpful to put some
indicator so users can tell the difference.
--
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Randy Bush
2004-10-15 03:28:54 UTC
Permalink
Post by Wei Keong
term deny-port-zero {
from {
protocol [ tcp udp ];
source-port 0;
destination-port 0;
}
then {
count deny-port-zero;
sample;
discard;
}
}
my read of the manual sez that this will only match packets
with BOTH dest and source ports of 0.

i think you need two separate terms.

randy
Brian W. Gemberling
2004-10-15 03:41:54 UTC
Permalink
You can use the from

port 0;

that should match either or, or both.
Post by Randy Bush
Post by Wei Keong
term deny-port-zero {
from {
protocol [ tcp udp ];
source-port 0;
destination-port 0;
}
then {
count deny-port-zero;
sample;
discard;
}
}
my read of the manual sez that this will only match packets
with BOTH dest and source ports of 0.
i think you need two separate terms.
randy
_______________________________________________
http://puck.nether.net/mailman/listinfo/juniper-nsp
Randy Bush
2004-10-15 03:46:43 UTC
Permalink
Post by Brian W. Gemberling
You can use the from
port 0;
that should match either or, or both.
<doh!> learn a new one every day. thanks.

randy
John Kristoff
2004-10-22 17:10:38 UTC
Permalink
On Thu, 14 Oct 2004 22:43:34 -0400 (EDT)
Post by Brian W. Gemberling
You can use the from
port 0;
that should match either or, or both.
While others have mentioned fragments, please note that UDP messages
with source port equal to zero are normal and common. Many UDP-based
apps will set their source port to zero when they do not expect a reply
from the receiver. From RFC 768:

Source Port is an optional field, when meaningful, it indicates the port
of the sending process, and may be assumed to be the port to which a
reply should be addressed in the absence of any other information. If
not used, a value of zero is inserted.

John

Continue reading on narkive:
Loading...