[j-nsp] Block port 0 traffic

Richard A Steenbergen ras at e-gerbil.net
Wed Oct 13 12:32:29 EDT 2004


On Wed, Oct 13, 2004 at 06:53:19PM +0800, Wei Keong wrote:
> Hi,
> 
> We observe quite a bit of traffic surge, from src port 0 to dst port 0. 
> We tried to use the filter below, but the traffic is still able to pass 
> through. Has anyone seeing the same attack lately? Is there a bug in Junos 
> 5.6?
> 
> term deny-port-zero {
>     from {
>         protocol [ tcp udp ];
>         source-port 0;
>         destination-port 0;
>     }
>     then {
>         count deny-port-zero;
>         sample;
>         discard;
>     }
> }

You aren't actually seeing port 0 traffic, you're seeing fragmented IP 
packets without a L4 header, which shows up as src/dst port 0 in "show 
firewall log" and such. Common question, it might be helpful to put some 
indicator so users can tell the difference.

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)


More information about the juniper-nsp mailing list