[155075] in North American Network Operators' Group
Re: DDoS using port 0 and 53 (DNS)
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Wed Jul 25 02:50:25 2012
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Wed, 25 Jul 2012 06:49:40 +0000
In-Reply-To: <CAAAwwbUoQ8efXKfig+4DgXOLWY+mhu-O4Mtbf=UJdf6vyX9aaw@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jul 25, 2012, at 12:08 PM, Jimmy Hess wrote:
> The packet is a non-initial fragment if and only if, the fragmentation =
offset is not set to zero. Port number's not a field you look at for that.
I understand all that, thanks.
NetFlow reports source/dest port 0 for non-initial fragments. That, couple=
d with the description of the attack, makes it a near-certainty that the ob=
served attack was a DNS reflection/amplification attack.
Furthermore, most routers can't perform the type of filtering necessary to =
check deeply into the packet header in order to determine if a given packet=
is a well-formed non-initial fragment or not.=20
And finally, many router implementations interpret source/dest port 0 as - =
yes, you guessed it - non-initial fragments. Hence, it's not a good idea t=
o filter on source/dest port 0.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
