DDoS using port 0 and 53 (DNS)

Mark Andrews marka at isc.org
Wed Jul 25 23:19:41 UTC 2012


In message <CADb+6TD6EMN7i9G99hPrhBh2ck-NwRqUuoQ1ubmnsHYN=iXAkg at mail.gmail.com>, Joel Maslak writes:
> On Wed, Jul 25, 2012 at 8:43 AM, John Kristoff <jtk at cymru.com> wrote:
> 
> > Some UDP applications will use zero as a source port when they do not
> > expect a response, which is how many one-way UDP-based apps operate,
> > though not all.  This behavior is spelled out in the IETF RFC 768:
> 
> That would only be applicable if the box was expecting to receive UDP
> and not send a response.  I'm not sure I can think of anything but
> specialized, vertical applications that would have that behavior with
> port zero (syslog and SNMP traps send without expecting a response,
> but they don't use port zero in any implementation I've seen, and
> neither is generally allowed to be received from the internet at
> large).
> 
> In addition to the fragments, these packets might also be non-TCP/UDP
> (ICMP, GRE, 6to4 and other IP-IP, etc).  If the host doesn't expect to
> receive large UDP packets, you can block UDP fragments.  Note that
> recursive DNS servers would need UDP fragments (well, if you want to
> do large DNS packets - if you set the right options, you can turn that
> off).  But if you aren't generally providing UDP services, blocking
> UDP packets, especially to stop an attack, wouldn't hurt (you can also
> block anything with the MF bit set).  If you block these fragments at
> your provider's router, and it is a DNS amplification attack, you're
> problems are probably solved until the hacker figures it out.  Just
> make sure you think of things like recursive DNS and other
> applications that may be using UDP fragments.

Actually *all* IPv6 node are supposed to support EDNS so *all* IPv6
hosts should be expecting to receive fragmented UDP for DNS.  Add
to that all hosts that do DNSSEC validation in the stub resolver /
application.  With DANE this will be any host with a web browser.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org




More information about the NANOG mailing list