On Tue, Feb 25, 2014 at 11:22 AM, Staudinger, Malcolm < mstaudinger@corp.earthlink.com> wrote:
Why wouldn't you just block chargen entirely? Is it actually still being used these days for anything legitimate?
Long term blocking based on port number is sure to result in problems. It's more appropriate to block chargen to a source shown to be subject to abuse. Simply blocking port 19 globally could very well be interfering with other use and disrupting connectivity for other applications not related to chargen, that just so happen to use Port # 19 as an endpoint. Thanks to the wonder that is SRV records, users MAY and, are technically quite free to, and sometimes do locate critical services on arbitrary --- alternative port numbers, such as perhaps port 19, using the DNS SRV response; instead of having clients locate the port number by relying upon a well-known port registration with IANA. In this case, policing or discarding port 19 traffic to hosts that do not use port 19 for chargen, is a connectivity disruption. Among known hosts that agree to communicate on port #19 without requiring a port registration, port number 19 may be used for any purpose, not necessarily chargen related. The same goes for port 123, 25, etc; both UDP and TCP. Although the port is not in the traditional ephemeral range, nothing precludes its use as an ephmeral port for various application functions, either. The "well known port" assignments are advisory or recommended, for use by other unknown processes. the purpose of well known port assignments is for service location; the port number is not a sequence of application identification bits. The QUIC protocol using port 80/udp, was a great example of a different application using a well-known port address, besides the one that would appear as the well-known port registration.
Malcolm Staudinger Information Security Analyst | EIS EarthLink
E: mstaudinger@corp.earthlink.com
-- -JH