Educause Security Discussion mailing list archives
Re: Internet ingress port-blocking
From: John Kristoff <jtk () DEPAUL EDU>
Date: Thu, 17 Aug 2017 13:12:14 -0500
On Thu, 17 Aug 2017 17:45:43 +0000 Brian Helman <bhelman () SALEMSTATE EDU> wrote:
Yeah, I guess I wasn't clear. People are answering the wrong question. I know how to secure the network. I'm asking about generic blocking of traffic that either never needs to come in or should be considered suspicious because of its wide use for DDoS, independent of what services I provide.
In some environments or at least at some very large aggregation points, few if any ports are suitable for blocking. You might block TCP from using port 123, but it poses relatively little threat in practice since NTP doesn't even listen on TCP. Do you block it because it is de facto only used for NTP? Maybe, but if you took the same stance with blocking UDP over port 80 because ./udp.pl just happened to use that port you're also not preventing all that legitimate Google QUIC stuff from working now. You should be safe dropping anything with a bogon source addresses. A bogon is something you should never expect to see in a source address such as 255.255.255.255 or ::. Team Cymru provides a BGP-based peering service to help with this. Also a destination address if you care about traffic in the other direction. Beware of statically or manually maintaining these sorts of things. If you support inter-domain IP multicast there is a whole slew of things you might consider dropping. Any TCP using 224/4 for instance I'd probably an obvious one, relatively uncontroversial one. Almost all UDP/TCP ports have some legitimate usage given enough time thanks to NAPT boxes and people running services over odd ports from time to time. People usually say things like "been blocking X here for X amount of time and no complaints so far!" as if that is proof that legitimate traffic isn't being dropped. Apps and people work around problems much of the time eventually. Any legit traffic you stop might be minuscule, but the threat may be also. Ultimately, whatever you do, know what is normal so you'll know what is abnormal. So measure and monitor. John
Current thread:
- Internet ingress port-blocking Brian Helman (Aug 17)
- Re: Internet ingress port-blocking Garrett Hildebrand (Aug 17)
- Re: Internet ingress port-blocking Velislav K Pavlov (Aug 17)
- Re: Internet ingress port-blocking Brian Helman (Aug 17)
- Re: Internet ingress port-blocking Andy Hooper (Aug 18)
- Re: Internet ingress port-blocking Velislav K Pavlov (Aug 17)
- Re: Internet ingress port-blocking Brian Helman (Aug 17)
- Message not available
- Re: Internet ingress port-blocking John Kristoff (Aug 17)
- Re: Internet ingress port-blocking Garrett Hildebrand (Aug 17)
- <Possible follow-ups>
- Re: Internet ingress port-blocking Joseph Tam (Aug 18)