DDoS using port 0 and 53 (DNS)
Frank Bulk
frnkblk at iname.com
Wed Jul 25 15:27:55 UTC 2012
Can netflow _properly_ "capture" whether a packet is a fragment or not? If
not, does IPFIX address this?
Frank
-----Original Message-----
From: Jimmy Hess [mailto:mysidia at gmail.com]
Sent: Wednesday, July 25, 2012 12:08 AM
To: Roland Dobbins
Cc: Frank Bulk; nanog at nanog.org
Subject: Re: DDoS using port 0 and 53 (DNS)
On 7/24/12, Roland Dobbins <rdobbins at arbor.net> wrote:
> Frank Bulk <frnkblk at iname.com> wrote:
>>can't exam them for more detail, but wondering if there was some
>>collective wisdom about blocking port 0.
> Yes - don't do it, or you will break the Internet. These are non-initial
Without a packet capture to look at, that's really just a blind assumption.
A port number of a non-initial fragment does not exist at all, because
the Layer 4 info is unavailable in that case, something _might_ lie
and say the port number is 0, but it should not -- there is no TCP
header with any port numbers, the only fields available to check
against on such packets are Layer 3 fields such as protocol, source,
destination address.
The port number of the Layer 4 connection cannot be determined without
executing IP fragment reassembly in that case. Routers normally
reassemble fragments they receive, if possible.
An access list statement attempting to match against non-present
Layer 4 information, should not work; on a stateful firewall, the
presence of the rule might trigger a fragment reassembly, on a
router, the non-applicable ACL entry referring to a non-existent
port number will generally be ignored.
A full capture should not be necessary.
You determine if a packet is a fragment by examining the MF flag, bit
50, and fragmentation offset of the IPv4 header; bits 51 through 63.
You only need to look at the first 8 bytes of the IP header. If
the MF bit is set to 0, and the fragmentation offset is also all bits
0, then the packet is not part of a fragment.
The packet is a non-initial fragment if and only if, the
fragmentation offset is not set to zero.
Port number's not a field you look at for that.
--
-JH
More information about the NANOG
mailing list