DDoS using port 0 and 53 (DNS)

Frank Bulk frnkblk at iname.com
Wed Jul 25 15:27:55 UTC 2012


Can netflow _properly_ "capture" whether a packet is a fragment or not?  If
not, does IPFIX address this?

Frank

-----Original Message-----
From: Jimmy Hess [mailto:mysidia at gmail.com] 
Sent: Wednesday, July 25, 2012 12:08 AM
To: Roland Dobbins
Cc: Frank Bulk; nanog at nanog.org
Subject: Re: DDoS using port 0 and 53 (DNS)

On 7/24/12, Roland Dobbins <rdobbins at arbor.net> wrote:
> Frank Bulk <frnkblk at iname.com> wrote:
>>can't exam them for more detail, but wondering if there was some
>>collective wisdom about blocking port 0.
> Yes - don't do it, or you will break the Internet. These are non-initial

Without a packet capture to look at, that's really just a blind assumption.

A port number of a non-initial fragment does not exist at all, because
the Layer 4 info is unavailable in that case,  something  _might_  lie
and say the port number is 0, but it should not -- there is no TCP
header with any port numbers,  the only fields available to check
against on such packets are   Layer 3 fields such as protocol, source,
destination address.

The port number of the Layer 4 connection cannot be determined without
executing IP fragment reassembly in that case.    Routers normally
reassemble fragments they receive, if possible.

An access list statement attempting to match against  non-present
Layer 4 information,  should not work;  on  a stateful firewall,  the
presence of the rule might trigger a fragment reassembly,  on a
router,  the  non-applicable ACL entry  referring to a non-existent
port number will generally be ignored.

A full capture should not be necessary.

You determine if a packet is a fragment by examining the MF flag,  bit
50,  and  fragmentation offset of the IPv4 header; bits 51 through 63.
  You only need to look at the first 8 bytes of the IP header.      If
the MF bit is set to 0, and the fragmentation offset is also all bits
0,  then the packet is not part of a fragment.

The packet is a non-initial fragment  if  and only if,  the
fragmentation offset is not set to zero.
Port number's not a field you look at for that.

--
-JH






More information about the NANOG mailing list