|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
From: "Frank Bulk" <frnkblk@iname.com> To: "'Roland Dobbins'" <rdobbins@arbor.net>, <nanog@nanog.org> In-Reply-To: <af6fc85b-ba55-4c8c-9796-bcd436a837d7@email.android.com> Date: Tue, 24 Jul 2012 23:50:06 -0500 Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org Thanks for confirming what was discussed in the NANOG archive. I now have warm fuzzies knowing that all my protections are reactive. = =3D) I will be talking with our upstream provider to see if they can = enable some better automation (because they run a larger shop). I know = they were able to null route in seconds, we just need a faster way to = identify targets. =20 Frank -----Original Message----- From: Roland Dobbins [mailto:rdobbins@arbor.net]=20 Sent: Tuesday, July 24, 2012 11:06 PM To: Frank Bulk; nanog@nanog.org Subject: Re: DDoS using port 0 and 53 (DNS) Frank Bulk <frnkblk@iname.com> wrote: >Unfortunately I don't have packet captures of any of the attacks, so I >can't exam them for more detail, but wondering if there was some >collective wisdom about blocking port 0. Yes - don't do it, or you will break the Internet. These are non-initial = fragments. You or your customers are on the receiving end of DNS = reflection/amplification attacks, and the large unsolicited DNS = responses being used to packet you/them are fragmented. Use S/RTBH, = flowspec, IDMS, and/or coordination with your peers/upstreams to block = these attacks when they occur.=20 Do *not* perform wholesale blocking of non-initial fragments (i.e., = src/dst port 0), or you will have many unhappy customers and soon-to-be = former customers.=20 ;> ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |