[155070] in North American Network Operators' Group
Re: DDoS using port 0 and 53 (DNS)
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Wed Jul 25 00:08:12 2012
In-Reply-To: <003101cd6a17$3f81ddc0$be859940$@iname.com>
From: Roland Dobbins <rdobbins@arbor.net>
Date: Wed, 25 Jul 2012 11:05:48 +0700
To: Frank Bulk <frnkblk@iname.com>, "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Frank Bulk <frnkblk@iname.com> wrote:
>Unfortunately I don't have packet captures of any of the attacks, so I
>can't exam them for more detail, but wondering if there was some
>collective wisdom about blocking port 0.
Yes - don't do it, or you will break the Internet. These are non-initial fragments.
You or your customers are on the receiving end of DNS reflection/amplification attacks, and the large unsolicited DNS responses being used to packet you/them are fragmented. Use S/RTBH, flowspec, IDMS, and/or coordination with your peers/upstreams to block these attacks when they occur.
Do *not* perform wholesale blocking of non-initial fragments (i.e., src/dst port 0), or you will have many unhappy customers and soon-to-be former customers.
;>
-----------------------------------
Roland Dobbins <rdobbins@arbor.net>
