Re: UDP source ports for HTTP/3 and QUIC from Erik Nygren on 2021-07-15 (ietf-http-wg@w3.org from July to September 2021)

From: Erik Nygren <erik+ietf@nygren.org>
Date: Thu, 15 Jul 2021 19:25:00 -0400
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, IETF QUIC WG <quic@ietf.org>
Message-ID: <CAKC-DJjHObadQo1O9XngTkxr3PswQ5YUMfLs9NUaDdJHye8Ggw@mail.gmail.com>

On Wed, Jul 14, 2021 at 8:21 PM Mark Nottingham <mnot@mnot.net> wrote:

> [ bringing this up on both lists because it's not yet clear what the right
> scope is ]
>
> It's not uncommon for servers to block certain UDP source ports to avoid
> being overwhelmed by certain reflection attacks. In particular:
>
> * 53 - DNS
> * 123 - NTP
> * 1900 - SSDP
> * 5353 - mDNS
> * 11211 - memcached
>
> ... among other candidates.
>
> See, eg., <https://blog.cloudflare.com/reflections-on-reflections/>. This
> isn't done to avoid protocol vulnerabilities as such -- it's to avoid
> volumetric attacks (usually DDoS).
>
>

Closely related, the Fetch spec's "bad port" list is fairly TCP-specific
and could likely
use additions for some of these.  I opened
https://github.com/whatwg/fetch/issues/1268
to track that.

    Erik

Received on Thursday, 15 July 2021 23:25:24 UTC