[157283] in North American Network Operators' Group
Re: Attacking on Source Port 0 (ZERO)
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Sun Oct 14 09:44:13 2012
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Sun, 14 Oct 2012 13:43:58 +0000
In-Reply-To: <CAGqGmqbTsnO3WD6HR=4oVX_2=YsdWaii9b7+yApZMd1zBaaSPQ@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Oct 14, 2012, at 4:48 PM, Shahab Vahabzadeh wrote:
> Does any body know what kind of attack can be come to port 0?
If it's protocol 0, instead of port 0, it's likely a packet-flooding DDoS a=
ttack.
If it's port 0, you may be incorrectly blocking non-initial fragments. Alt=
ernately, it could represent a fragmented DDoS attack, either non-initial f=
ragments fired directly against something on your network or as the result =
of a DNS reflection/amplification attack against something on your network.
The log fragment you posted doesn't provide enough detail to make an inform=
ed judgement. Also, you should not place servers behind a stateful firewal=
l, anyways.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
