On Tue, 25 Aug 2020, Douglas Fischer wrote:
I think that the subject of the e-mail is very self-explanatory.
With some analysis of what is running over our network, ISP or ITP, we will be
able to see some TCP/UDP(mostly
UDP) packets with source or destination to port 0.
I can think of a genuine use of it.
(Maybe someone cloud help me see what I'm not seen.)
So I have two questions:
a) Should an ISP block that Kind of traffic?
(like anti-spoofing on BNG/B-RAS)
b) Should a Transit Provider block that Kind of traffic?
When an application sends more data via UDP than can be fit in a single
packet, only the first packet has a UDP header [where the port info is
stored]. The rest of the fragments have no UDP header, which most things
will report as UDP src/dst port = 0. That traffic may be totally
legitimate, so I would say, as an ISP/Transit Provider, you probably
wouldn't want to just block all UDP port 0 traffic.
For each link in your network where you have the ability, you might
profile and then police UDP traffic, especially the ports commonly seen in
reflection DDoS attacks (and port 0).
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
StackPath, Sr. Neteng | therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
