nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TCP and UDP Port 0 - Should an ISP or ITP Block it?

From: Jon Lewis <jlewis () lewis org>
Date: Tue, 25 Aug 2020 08:13:59 -0400 (EDT)
On Tue, 25 Aug 2020, Douglas Fischer wrote:


I think that the subject of the e-mail is very self-explanatory.

With some analysis of what is running over our network, ISP or ITP, we will be able to see some TCP/UDP(mostly
UDP) packets with source or destination to port 0.

I can think of a genuine use of it.
(Maybe someone cloud help me see what I'm not seen.)

So I have two questions:

a) Should an ISP block that Kind of traffic?
(like anti-spoofing on BNG/B-RAS)

b) Should a Transit Provider block that Kind of traffic?
When an application sends more data via UDP than can be fit in a single packet, only the first packet has a UDP header [where the port info is stored]. The rest of the fragments have no UDP header, which most things will report as UDP src/dst port = 0. That traffic may be totally legitimate, so I would say, as an ISP/Transit Provider, you probably wouldn't want to just block all UDP port 0 traffic.
For each link in your network where you have the ability, you might profile and then police UDP traffic, especially the ports commonly seen in reflection DDoS attacks (and port 0). 

----------------------------------------------------------------------
 Jon Lewis, MCP :)           |  I route
 StackPath, Sr. Neteng       |  therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Previous By Date Next
Previous By Thread Next

Current thread: