[j-nsp] Block port 0 traffic

Wei Keong chooweikeong at pacific.net.sg
Thu Oct 14 21:38:43 EDT 2004


Hi Richard,

Actually we found this in cflow. Src port 0, Dst port 0, protocol udp. 
With the filter below, there is matches, but we still see the same traffic 
in clow. Is this the fragmented packet?

Thanks,
Wei Keong

On Wed, 13 Oct 2004, Richard A Steenbergen wrote:

> On Wed, Oct 13, 2004 at 06:53:19PM +0800, Wei Keong wrote:
>> Hi,
>>
>> We observe quite a bit of traffic surge, from src port 0 to dst port 0.
>> We tried to use the filter below, but the traffic is still able to pass
>> through. Has anyone seeing the same attack lately? Is there a bug in Junos
>> 5.6?
>>
>> term deny-port-zero {
>>     from {
>>         protocol [ tcp udp ];
>>         source-port 0;
>>         destination-port 0;
>>     }
>>     then {
>>         count deny-port-zero;
>>         sample;
>>         discard;
>>     }
>> }
>
> You aren't actually seeing port 0 traffic, you're seeing fragmented IP
> packets without a L4 header, which shows up as src/dst port 0 in "show
> firewall log" and such. Common question, it might be helpful to put some
> indicator so users can tell the difference.
>
> --
> Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
>


More information about the juniper-nsp mailing list