[155093] in North American Network Operators' Group
RE: DDoS using port 0 and 53 (DNS)
daemon@ATHENA.MIT.EDU (Drew Weaver)
Wed Jul 25 18:14:29 2012
From: Drew Weaver <drew.weaver@thenap.com>
To: 'Frank Bulk' <frnkblk@iname.com>, "nanog@nanog.org" <nanog@nanog.org>
Date: Wed, 25 Jul 2012 18:13:52 -0400
In-Reply-To: <003101cd6a17$3f81ddc0$be859940$@iname.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Another nice "emerging" tool [I say emerging because it's been around forev=
er but nobody implements it] to deal with this is Flowspec, using flowspec =
you can instruct your Upstream to block traffic with much more granular cha=
racteristics.
Instead of dropping all traffic to the IP address, you can drop (for exampl=
e) udp dst 80 traffic to the IP address, or traffic from a particular sourc=
e to a particular DST.
It can also be initiated by your side without interaction from the upstream=
ISP.
Just saying =3D)
-Drew
-----Original Message-----
From: Frank Bulk [mailto:frnkblk@iname.com]=20
Sent: Tuesday, July 24, 2012 11:41 PM
To: nanog@nanog.org
Subject: DDoS using port 0 and 53 (DNS)
Several times this year our customers have suffered DDoS' ranging from 30 M=
bps to over 1 Gbps, sometimes sustained, sometimes in a several minute spur=
ts. They are targeted at one IP address, and most times our netflow tool i=
dentifies that a large percentage of the traffic is "port 0". The one from=
today had about 89% port 0 and 11% port 53 (DNS). If it happens repeatedl=
y or continuously we just have our upstream provider blackhole the target (=
victim) IP address.
I've been tempted to ask our upstream provider to block all traffic to us t=
hat's targeted to tcp or udp port 0 -- is that safe to do? I found two NAN=
OG archives that talk about this http://www.nanog.org/mailinglist/mailarchi=
ves/old_archive/2005-04/msg00091.h
tml
http://www.gossamer-threads.com/lists/nanog/users/18990
and the first suggests that port zero could really be fragmented packets.
Unfortunately I don't have packet captures of any of the attacks, so I can'=
t exam them for more detail, but wondering if there was some collective wis=
dom about blocking port 0.
Regards,
Frank
