Re: TCP and UDP Port 0 - Should an ISP or ITP Block it?

Tue, 25 Aug 2020 05:43:36 -0700 

> On 25 Aug 2020, at 14:27, K. Scott Helms <kscott.he...@gmail.com> wrote:
> 
> Job,
> 
> Comcast is blocking it.  From the table on that page.
> 
> "Port 0 is a reserved port, which means it should not be used by
> applications. Network abuse has prompted the need to block this port."
> 
> "What about UDP IP fragmentation?"
> 
> I'm not sure I follow this.  The IP packet will be fragmented with UDP
> inside it.  When the IP packet gets put together the UDP PDU will have
> a port number.  It's possible that some packet analyzers or network
> gear will improperly "see" a partial UDP flow as port 0 but that's a
> mischaracterization of the flow.

a. some systems show UDP fragments as UDP port 0. So if the filter also handles 
fragments as UDP port 0, then you have a problem
b. if you don’t reassemble UDP fragments and filter on port number, like 11212 
(memcache) or 389 (ldap), then fragments will be forwarded and still be a 
problem

I think in general you can say that problems with UDP port 0 are in fact 
fragments. Ohter opinions on this?

Best regards,

Pim van Stam



> 
> 
> Scott Helms
> 
> Scott Helms
> 
> 
> 
> On Tue, Aug 25, 2020 at 8:17 AM Job Snijders <j...@ntt.net> wrote:
>> 
>> On Tue, Aug 25, 2020 at 07:27:33AM -0400, K. Scott Helms wrote:
>>> I think a fairly easy thing to do is see what other large retail ISPs
>>> have done.  Comcast, as an example, lists all of the ports they block
>>> and 0 is blocked.  I do recommend that port 0 be blocked by all of the
>>> ISPs I work with and frankly Comcast's list is a pretty good one to
>>> use in general, though you will get some pushback on things like SMTP.
>>> 
>>> https://www.xfinity.com/support/articles/list-of-blocked-ports
>> 
>> I may be reading the table incorrectly, but it seems to me Comcast is
>> *not* blocking UDP port 0 according to the above URL?
>> 
>>> Transit providers are a little bit different, but then again port 0 is
>>> also different since AFAIK it's never had a legitimate use case.  It's
>>> always been a reserved port.  I'd personally block it if I ran a
>>> transit, but I'd be more willing to open it up for one of my large
>>> customers (in a limited way) than I would on the retail side.
>>> 
>>> https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
>> 
>> What about UDP IP fragmentation?
>> 
>> Kind regards,
>> 
>> Job























					Reply via email to