[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DDoS using port 0 and 53 (DNS)

Subject: DDoS using port 0 and 53 (DNS)
From: rdobbins at arbor.net (Roland Dobbins)
Date: Wed, 25 Jul 2012 11:05:48 +0700
In-reply-to: <[email protected]>
References: <[email protected]>

Frank Bulk <frnkblk at iname.com> wrote:

>Unfortunately I don't have packet captures of any of the attacks, so I
>can't exam them for more detail, but wondering if there was some
>collective wisdom about blocking port 0.

Yes - don't do it, or you will break the Internet. These are non-initial fragments.

You or your customers are on the receiving end of DNS reflection/amplification attacks, and the large unsolicited DNS responses being used to packet you/them are fragmented. Use S/RTBH, flowspec, IDMS, and/or coordination with your peers/upstreams to block these attacks when they occur. 

Do *not* perform wholesale blocking of non-initial fragments (i.e., src/dst port 0), or you will have many unhappy customers and soon-to-be former customers. 

;>
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>

Follow-Ups:
- DDoS using port 0 and 53 (DNS)
  - From: frnkblk at iname.com (Frank Bulk)
- DDoS using port 0 and 53 (DNS)
  - From: mysidia at gmail.com (Jimmy Hess)

References:
- DDoS using port 0 and 53 (DNS)
  - From: frnkblk at iname.com (Frank Bulk)

Prev by Date: DDoS using port 0 and 53 (DNS)
Next by Date: DDoS using port 0 and 53 (DNS)
Previous by thread: DDoS using port 0 and 53 (DNS)
Next by thread: DDoS using port 0 and 53 (DNS)
Index(es):
- Date
- Thread