|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
From: "Frank Bulk" <frnkblk@iname.com> To: "'Jimmy Hess'" <mysidia@gmail.com> In-Reply-To: <CAAAwwbUoQ8efXKfig+4DgXOLWY+mhu-O4Mtbf=UJdf6vyX9aaw@mail.gmail.com> Date: Wed, 25 Jul 2012 10:27:55 -0500 Cc: nanog@nanog.org Reply-To: frnkblk@iname.com Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org Can netflow _properly_ "capture" whether a packet is a fragment or not? If not, does IPFIX address this? Frank -----Original Message----- From: Jimmy Hess [mailto:mysidia@gmail.com] Sent: Wednesday, July 25, 2012 12:08 AM To: Roland Dobbins Cc: Frank Bulk; nanog@nanog.org Subject: Re: DDoS using port 0 and 53 (DNS) On 7/24/12, Roland Dobbins <rdobbins@arbor.net> wrote: > Frank Bulk <frnkblk@iname.com> wrote: >>can't exam them for more detail, but wondering if there was some >>collective wisdom about blocking port 0. > Yes - don't do it, or you will break the Internet. These are non-initial Without a packet capture to look at, that's really just a blind assumption. A port number of a non-initial fragment does not exist at all, because the Layer 4 info is unavailable in that case, something _might_ lie and say the port number is 0, but it should not -- there is no TCP header with any port numbers, the only fields available to check against on such packets are Layer 3 fields such as protocol, source, destination address. The port number of the Layer 4 connection cannot be determined without executing IP fragment reassembly in that case. Routers normally reassemble fragments they receive, if possible. An access list statement attempting to match against non-present Layer 4 information, should not work; on a stateful firewall, the presence of the rule might trigger a fragment reassembly, on a router, the non-applicable ACL entry referring to a non-existent port number will generally be ignored. A full capture should not be necessary. You determine if a packet is a fragment by examining the MF flag, bit 50, and fragmentation offset of the IPv4 header; bits 51 through 63. You only need to look at the first 8 bytes of the IP header. If the MF bit is set to 0, and the fragmentation offset is also all bits 0, then the packet is not part of a fragment. The packet is a non-initial fragment if and only if, the fragmentation offset is not set to zero. Port number's not a field you look at for that. -- -JH
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |