Blocking packets from suspicious ports

Mon, 02 May 2022 13:29:56 -0700

Services based on UDP have to be worried about two variants of DDOS attacks: being an unwitting amplifier of a DDOS attack, and being on the receiving end of a DDOS attack. The first concern is addressed in the spec, with amplification limits and the Retry packet. The second concern is often mitigated by silently discarding traffic from ports often used in amplification of UDP DDOS attacks, e.g., DNS, or NTP. After reviewing discussions like https://lists.w3.org/Archives/Public/ietf-http-wg/2021JulSep/0053.html I implemented this port blocking feature in Picoquic, but I have a couple of uneasy feelings when doing that.
The list of ports appear a tiny bit arbitrary. It mostly derives from reports on recent DDOS attacks, some of which are publicly available (e.g., https://blog.cloudflare.com/reflections-on-reflections/) while others appear to be propagated through private channels. The resulting lists may be a bit arbitrary. For example, some lists include port 11211 (memcache daemon), but Cloudflare does not, maybe because we don't see much attacks on that port anymore. Many lists include blocking of port 137 (NetBios name service), but only a few include port 138 (NetBios datagram service). 


If I dig a little bit further, I think that differences in the blocked 
lists come from different priorities. We may want to protect QUIC 
servers from amplified UDP DDOS attacks, but we may also want to protect 
local services from Request Forgery Attacks. In the second case, the 
list of blocked ports gets bigger. But that too is arbitrary. For 
example, some lists include port 5353 (mDNS) and port 1900 (SSDP), but 
it seems that nobody bothers with port 5354 (LLMNR) or port 3702 
(WS-Discovery).



Then, there is the way in which blocking is applied. One could just do 
it for all incoming packets, silently dropping whatever comes from a 
blocked port. Clean, simple, but some per packet overhead. Is it enough 
to apply the checks when receiving Initial packets and deciding whether 
to create a connection or not? What about packets that would trigger a 
VN response, or a stateless retry? What about probes for new paths?


-- Christian Huitema























					Reply via email to