[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DDoS using port 0 and 53 (DNS)

Subject: DDoS using port 0 and 53 (DNS)
From: mysidia at gmail.com (Jimmy Hess)
Date: Tue, 24 Jul 2012 23:10:52 -0500
In-reply-to: <[email protected]>
References: <[email protected]>

On 7/24/12, Frank Bulk <frnkblk at iname.com> wrote:
> Unfortunately I don't have packet captures of any of the attacks, so I
> can't exam them for more detail, but wondering if there was some collective
> wisdom about blocking port 0.

It should be relatively safe to drop  (non-fragment)  packets to/from port 0.

If I recall correctly, there are some routers that perform a "helpful"
numeric value validation when the human is entering port numbers for
access list rules, that _do_ forward port 0 traffic,  and  through
some sort of oversight by the router/firewall vendor  actually
_prevent_ the administrator from selecting port 0 in a deny rule,  eg.
  "Port to deny must be a number from 1 to  65535".

TCP/UDP port 0 is technically a legal port,  but it's also a reserved
port, and very unusual for it to be used on the network for any
legitimate purpose.   Various firewalls will discard anything TCP/UDP
sent to/from port 0.

Many TCP/UDP sockets implementations won't even let an application
select port 0. bind() to port 0  is treated as a signal that the
application wants the sockets API to pick a high-numbered ephemeral
port.

> Regards,
> Frank
--
-JH

Follow-Ups:
- DDoS using port 0 and 53 (DNS)
  - From: jtk at cymru.com (John Kristoff)

References:
- DDoS using port 0 and 53 (DNS)
  - From: frnkblk at iname.com (Frank Bulk)

Prev by Date: DDoS using port 0 and 53 (DNS)
Next by Date: DDoS using port 0 and 53 (DNS)
Previous by thread: DDoS using port 0 and 53 (DNS)
Next by thread: DDoS using port 0 and 53 (DNS)
Index(es):
- Date
- Thread