[155077] in North American Network Operators' Group
Re: DDoS using port 0 and 53 (DNS)
daemon@ATHENA.MIT.EDU (John Kristoff)
Wed Jul 25 10:45:02 2012
Date: Wed, 25 Jul 2012 09:43:43 -0500
From: John Kristoff <jtk@cymru.com>
To: Jimmy Hess <mysidia@gmail.com>
In-Reply-To: <CAAAwwbW3C6dLC-j+LgpVoOnyJOWPskfMaAJg5RKB22=oqy2pBA@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, 24 Jul 2012 23:10:52 -0500
Jimmy Hess <mysidia@gmail.com> wrote:
> It should be relatively safe to drop (non-fragment) packets to/from
> port 0.
[...]
Some UDP applications will use zero as a source port when they do not
expect a response, which is how many one-way UDP-based apps operate,
though not all. This behavior is spelled out in the IETF RFC 768:
"Source Port is an optional field, when meaningful, it indicates the
port of the sending process, and may be assumed to be the port to
which a reply should be addressed in the absence of any other
information. If not used, a value of zero is inserted."
John
