DDoS using port 0 and 53 (DNS)

Joel Maslak jmaslak at antelope.net
Wed Jul 25 14:52:42 UTC 2012

On Wed, Jul 25, 2012 at 8:43 AM, John Kristoff <jtk at cymru.com> wrote:

> Some UDP applications will use zero as a source port when they do not
> expect a response, which is how many one-way UDP-based apps operate,
> though not all.  This behavior is spelled out in the IETF RFC 768:

That would only be applicable if the box was expecting to receive UDP
and not send a response.  I'm not sure I can think of anything but
specialized, vertical applications that would have that behavior with
port zero (syslog and SNMP traps send without expecting a response,
but they don't use port zero in any implementation I've seen, and
neither is generally allowed to be received from the internet at

In addition to the fragments, these packets might also be non-TCP/UDP
(ICMP, GRE, 6to4 and other IP-IP, etc).  If the host doesn't expect to
receive large UDP packets, you can block UDP fragments.  Note that
recursive DNS servers would need UDP fragments (well, if you want to
do large DNS packets - if you set the right options, you can turn that
off).  But if you aren't generally providing UDP services, blocking
UDP packets, especially to stop an attack, wouldn't hurt (you can also
block anything with the MF bit set).  If you block these fragments at
your provider's router, and it is a DNS amplification attack, you're
problems are probably solved until the hacker figures it out.  Just
make sure you think of things like recursive DNS and other
applications that may be using UDP fragments.

More information about the NANOG mailing list