[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DDoS using port 0 and 53 (DNS)

Subject: DDoS using port 0 and 53 (DNS)
From: jtk at cymru.com (John Kristoff)
Date: Wed, 25 Jul 2012 09:43:43 -0500
In-reply-to: <CAAAwwbW3C6dLC-j+LgpVoOnyJOWPskfMaAJg5RKB22=oqy2pBA@mail.gmail.com>
References: <[email protected]> <CAAAwwbW3C6dLC-j+LgpVoOnyJOWPskfMaAJg5RKB22=oqy2pBA@mail.gmail.com>

On Tue, 24 Jul 2012 23:10:52 -0500
Jimmy Hess <mysidia at gmail.com> wrote:

> It should be relatively safe to drop  (non-fragment)  packets to/from
> port 0.
[...]

Some UDP applications will use zero as a source port when they do not
expect a response, which is how many one-way UDP-based apps operate,
though not all.  This behavior is spelled out in the IETF RFC 768:

  "Source Port is an optional field, when meaningful, it indicates the
  port of the sending  process,  and may be assumed  to be the port to
  which a reply should  be addressed  in the absence of any other
  information.  If not used, a value of zero is inserted."

John

Follow-Ups:
- DDoS using port 0 and 53 (DNS)
  - From: jmaslak at antelope.net (Joel Maslak)

References:
- DDoS using port 0 and 53 (DNS)
  - From: frnkblk at iname.com (Frank Bulk)
- DDoS using port 0 and 53 (DNS)
  - From: mysidia at gmail.com (Jimmy Hess)

Prev by Date: DDoS using port 0 and 53 (DNS)
Next by Date: Another LTE network turns up as IPv4-only squat space + NAT
Previous by thread: DDoS using port 0 and 53 (DNS)
Next by thread: DDoS using port 0 and 53 (DNS)
Index(es):
- Date
- Thread