DDoS using port 0 and 53 (DNS)

Drew Weaver drew.weaver at thenap.com
Wed Jul 25 17:13:52 CDT 2012


Another nice "emerging" tool [I say emerging because it's been around forever but nobody implements it] to deal with this is Flowspec, using flowspec you can instruct your Upstream to block traffic with much more granular characteristics.

Instead of dropping all traffic to the IP address, you can drop (for example) udp dst 80 traffic to the IP address, or traffic from a particular source to a particular DST.

It can also be initiated by your side without interaction from the upstream ISP.

Just saying =)

-Drew

-----Original Message-----
From: Frank Bulk [mailto:frnkblk at iname.com] 
Sent: Tuesday, July 24, 2012 11:41 PM
To: nanog at nanog.org
Subject: DDoS using port 0 and 53 (DNS)

Several times this year our customers have suffered DDoS' ranging from 30 Mbps to over 1 Gbps, sometimes sustained, sometimes in a several minute spurts.  They are targeted at one IP address, and most times our netflow tool identifies that a large percentage of the traffic is "port 0".  The one from today had about 89% port 0 and 11% port 53 (DNS).  If it happens repeatedly or continuously we just have our upstream provider blackhole the target (victim) IP address.

I've been tempted to ask our upstream provider to block all traffic to us that's targeted to tcp or udp port 0 -- is that safe to do?  I found two NANOG archives that talk about this http://www.nanog.org/mailinglist/mailarchives/old_archive/2005-04/msg00091.h
tml
http://www.gossamer-threads.com/lists/nanog/users/18990
and the first suggests that port zero could really be fragmented packets.

Unfortunately I don't have packet captures of any of the attacks, so I can't exam them for more detail, but wondering if there was some collective wisdom about blocking port 0.

Regards,

Frank





More information about the NANOG mailing list