[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DDoS using port 0 and 53 (DNS)

Subject: DDoS using port 0 and 53 (DNS)
From: rdobbins at arbor.net (Dobbins, Roland)
Date: Wed, 25 Jul 2012 06:49:40 +0000
In-reply-to: <CAAAwwbUoQ8efXKfig+4DgXOLWY+mhu-O4Mtbf=UJdf6vyX9aaw@mail.gmail.com>
References: <[email protected]> <[email protected]> <CAAAwwbUoQ8efXKfig+4DgXOLWY+mhu-O4Mtbf=UJdf6vyX9aaw@mail.gmail.com>

On Jul 25, 2012, at 12:08 PM, Jimmy Hess wrote:

> The packet is a non-initial fragment  if  and only if, the fragmentation offset is not set to zero.  Port number's not a field you look at for that.

I understand all that, thanks.

NetFlow reports source/dest port 0 for non-initial fragments.  That, coupled with the description of the attack, makes it a near-certainty that the observed attack was a DNS reflection/amplification attack.

Furthermore, most routers can't perform the type of filtering necessary to check deeply into the packet header in order to determine if a given packet is a well-formed non-initial fragment or not. 

And finally, many router implementations interpret source/dest port 0 as - yes, you guessed it - non-initial fragments.  Hence, it's not a good idea to filter on source/dest port 0.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

References:
- DDoS using port 0 and 53 (DNS)
  - From: frnkblk at iname.com (Frank Bulk)
- DDoS using port 0 and 53 (DNS)
  - From: rdobbins at arbor.net (Roland Dobbins)
- DDoS using port 0 and 53 (DNS)
  - From: mysidia at gmail.com (Jimmy Hess)

Prev by Date: DDoS using port 0 and 53 (DNS)
Next by Date: DDoS using port 0 and 53 (DNS)
Previous by thread: DDoS using port 0 and 53 (DNS)
Next by thread: DDoS using port 0 and 53 (DNS)
Index(es):
- Date
- Thread