DDoS using port 0 and 53 (DNS)
frnkblk at iname.com
Wed Jul 25 03:40:34 UTC 2012
Several times this year our customers have suffered DDoS' ranging from 30
Mbps to over 1 Gbps, sometimes sustained, sometimes in a several minute
spurts. They are targeted at one IP address, and most times our netflow
tool identifies that a large percentage of the traffic is "port 0". The one
from today had about 89% port 0 and 11% port 53 (DNS). If it happens
repeatedly or continuously we just have our upstream provider blackhole the
target (victim) IP address.
I've been tempted to ask our upstream provider to block all traffic to us
that's targeted to tcp or udp port 0 -- is that safe to do? I found two
NANOG archives that talk about this
and the first suggests that port zero could really be fragmented packets.
Unfortunately I don't have packet captures of any of the attacks, so I can't
exam them for more detail, but wondering if there was some collective wisdom
about blocking port 0.
More information about the NANOG