DDoS using port 0 and 53 (DNS)

• Previous message (by thread): DDoS using port 0 and 53 (DNS)
• Next message (by thread): DDoS using port 0 and 53 (DNS)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Jul 25, 2012, at 12:08 PM, Jimmy Hess wrote:

> The packet is a non-initial fragment  if  and only if, the fragmentation offset is not set to zero.  Port number's not a field you look at for that.

I understand all that, thanks.

NetFlow reports source/dest port 0 for non-initial fragments.  That, coupled with the description of the attack, makes it a near-certainty that the observed attack was a DNS reflection/amplification attack.

Furthermore, most routers can't perform the type of filtering necessary to check deeply into the packet header in order to determine if a given packet is a well-formed non-initial fragment or not. 

And finally, many router implementations interpret source/dest port 0 as - yes, you guessed it - non-initial fragments.  Hence, it's not a good idea to filter on source/dest port 0.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

• Previous message (by thread): DDoS using port 0 and 53 (DNS)
• Next message (by thread): DDoS using port 0 and 53 (DNS)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]