DDoS using port 0 and 53 (DNS)

• Previous message (by thread): url category database, flat file lists, or API
• Next message (by thread): DDoS using port 0 and 53 (DNS)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Several times this year our customers have suffered DDoS' ranging from 30
Mbps to over 1 Gbps, sometimes sustained, sometimes in a several minute
spurts.  They are targeted at one IP address, and most times our netflow
tool identifies that a large percentage of the traffic is "port 0".  The one
from today had about 89% port 0 and 11% port 53 (DNS).  If it happens
repeatedly or continuously we just have our upstream provider blackhole the
target (victim) IP address.

I've been tempted to ask our upstream provider to block all traffic to us
that's targeted to tcp or udp port 0 -- is that safe to do?  I found two
NANOG archives that talk about this
http://www.nanog.org/mailinglist/mailarchives/old_archive/2005-04/msg00091.h
tml
http://www.gossamer-threads.com/lists/nanog/users/18990
and the first suggests that port zero could really be fragmented packets.

Unfortunately I don't have packet captures of any of the attacks, so I can't
exam them for more detail, but wondering if there was some collective wisdom
about blocking port 0.

Regards,

Frank

• Previous message (by thread): url category database, flat file lists, or API
• Next message (by thread): DDoS using port 0 and 53 (DNS)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]