nanog mailing list archives
Re: DDoS using port 0 and 53 (DNS)
From: Jimmy Hess <mysidia () gmail com>
Date: Tue, 24 Jul 2012 23:10:52 -0500
On 7/24/12, Frank Bulk <frnkblk () iname com> wrote:
Unfortunately I don't have packet captures of any of the attacks, so I can't exam them for more detail, but wondering if there was some collective wisdom about blocking port 0.
It should be relatively safe to drop (non-fragment) packets to/from port 0. If I recall correctly, there are some routers that perform a "helpful" numeric value validation when the human is entering port numbers for access list rules, that _do_ forward port 0 traffic, and through some sort of oversight by the router/firewall vendor actually _prevent_ the administrator from selecting port 0 in a deny rule, eg. "Port to deny must be a number from 1 to 65535". TCP/UDP port 0 is technically a legal port, but it's also a reserved port, and very unusual for it to be used on the network for any legitimate purpose. Various firewalls will discard anything TCP/UDP sent to/from port 0. Many TCP/UDP sockets implementations won't even let an application select port 0. bind() to port 0 is treated as a signal that the application wants the sockets API to pick a high-numbered ephemeral port.
Regards, Frank
-- -JH
Current thread:
- DDoS using port 0 and 53 (DNS) Frank Bulk (Jul 24)
- Re: DDoS using port 0 and 53 (DNS) Roland Dobbins (Jul 24)
- RE: DDoS using port 0 and 53 (DNS) Frank Bulk (Jul 24)
- Re: DDoS using port 0 and 53 (DNS) Jimmy Hess (Jul 24)
- Re: DDoS using port 0 and 53 (DNS) sthaug (Jul 24)
- Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 24)
- Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 24)
- RE: DDoS using port 0 and 53 (DNS) Frank Bulk (Jul 25)
- Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 25)
- Re: DDoS using port 0 and 53 (DNS) Roland Dobbins (Jul 24)
- Re: DDoS using port 0 and 53 (DNS) John Kristoff (Jul 25)
- Re: DDoS using port 0 and 53 (DNS) Joel Maslak (Jul 25)
- Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 25)
- Re: DDoS using port 0 and 53 (DNS) Mark Andrews (Jul 25)
- Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 25)