DDoS using port 0 and 53 (DNS)

Dobbins, Roland rdobbins at arbor.net
Wed Jul 25 16:41:27 UTC 2012

On Jul 25, 2012, at 10:27 PM, Frank Bulk wrote:

> Can netflow _properly_ "capture" whether a packet is a fragment or not?


>  If not, does IPFIX address this?


But this is all a distraction.  We are now down in the weeds.

Your customers were victims of a DNS reflection/amplification attack.  The issue of fragmentation is moot.  The defense methodologies already discussed are how folks typically deal with these attacks.  There isn't an ovearching network access policy list you can apply at your edges or ask your peers/upstreams to apply which will mask them - the optimal approach is to deal with them on a case-by-case basis.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

More information about the NANOG mailing list