![\"\"](\"https:\/\/i0.wp.com\/www.fayebell.name\/wp-content\/uploads\/2023\/01\/Wireshart-ArtNet.jpg?resize=456%2C121&ssl=1\")
<\/a>The Highlighted data of the Source and Destination ports. are the same! The commit that fixed the port bug in the kernel back in 2007. Now lets look at the Protocol spec., Work around Disable BLAT protection.<\/strong><\/p>\n\n\n\n <\/p>\n<\/div>\n<\/div>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":" For all the Network Techs out there. I have a Interesting one, on reddit there was a post about a L2 switch killing the port when ArtNet was sent over it. Using my Network experience, I pulled the devices manual, … Continue reading ![\"\"](\"https:\/\/i0.wp.com\/www.fayebell.name\/wp-content\/uploads\/2023\/01\/GSD-1002M-switch-DOS-default-settings.png?resize=480%2C490&ssl=1\")
From the Switch’s manual.<\/a> Here is the default for the DOS settings
The highlighted settings are the items of interest the UDP and TCP BLAT settings.
What is a Blat Attack \u2013 These switch result from sending a specially crafted packet to a machine where the source host port is the same as the destination host port. The system attempts to reply to itself, resulting in system lockup.
This attack could be compared to setting up a mic IN FRONT of your Main PA 1″ Away from the speaker. Then Turning it on full blast.
Looking at RFC6056<\/a>
Recommendations for Transport-Protocol Port Randomization
These attacks rely on the attacker’s ability to
guess or know the five-tuple (Protocol, Source Address, Destination
Address, Source Port, Destination Port) that identifies the transport
protocol instance to be attacked.
Says this needs to happen on the Source port. so the source port is random but the destination is set<\/p>\n\n\n\n
Looking at RFC<\/a>1948<\/a>
Defending Against Sequence Number Attacks from May 1996
In summary “source port == destination port” is a bad practice.
<\/p>\n\n\n\n
This Bug has been fixed for a long time in the Linux Kernel networking subsystem to avoid this issue<\/p>\n\n\n\n
<\/a>
Following up at that Lets look at the man page for ip(7<\/a>)
Looking at how to Get a Source socket, to open two way coms with a remote server, (or multicast group)
When connect(2) is called on an unbound socket, **the socket is automatically bound to a random free port or to a usable shared port<\/strong> with the local address set to INADDR_ANY.
So in closing,
source port == dest port. Is triggering the Blat DOS detection.
<\/p>\n\n\n\n
Looking at ArtNet’s spec Here<\/a>
<\/p>\n\n\n\n![\"\"](\"https:\/\/i0.wp.com\/www.fayebell.name\/wp-content\/uploads\/2023\/01\/Art-net-SRC-and-Dest.jpg?resize=569%2C180&ssl=1\")
<\/a>
It states that the programmer must use, source port of 6454 to contact the destination listing port 6454 of the server. <\/p>\n\n\n\n
That is Not conforming to Multiple RFCs and is using a bad<\/strong> practice.<\/p>\n\n\n\n
Root Cause ArtNet protocol says to use the same source port(client) as the destination port (server). is causing the issue.<\/p>\n\n\n\n