nanog mailing list archives
RE: DDoS using port 0 and 53 (DNS)
From: "Frank Bulk" <frnkblk () iname com>
Date: Tue, 24 Jul 2012 23:50:06 -0500
Thanks for confirming what was discussed in the NANOG archive. I now have warm fuzzies knowing that all my protections are reactive. =) I will be talking with our upstream provider to see if they can enable some better automation (because they run a larger shop). I know they were able to null route in seconds, we just need a faster way to identify targets. Frank -----Original Message----- From: Roland Dobbins [mailto:rdobbins () arbor net] Sent: Tuesday, July 24, 2012 11:06 PM To: Frank Bulk; nanog () nanog org Subject: Re: DDoS using port 0 and 53 (DNS) Frank Bulk <frnkblk () iname com> wrote:
Unfortunately I don't have packet captures of any of the attacks, so I can't exam them for more detail, but wondering if there was some collective wisdom about blocking port 0.
Yes - don't do it, or you will break the Internet. These are non-initial fragments. You or your customers are on the receiving end of DNS reflection/amplification attacks, and the large unsolicited DNS responses being used to packet you/them are fragmented. Use S/RTBH, flowspec, IDMS, and/or coordination with your peers/upstreams to block these attacks when they occur. Do *not* perform wholesale blocking of non-initial fragments (i.e., src/dst port 0), or you will have many unhappy customers and soon-to-be former customers. ;> ----------------------------------- Roland Dobbins <rdobbins () arbor net>
Current thread:
- DDoS using port 0 and 53 (DNS) Frank Bulk (Jul 24)
- Re: DDoS using port 0 and 53 (DNS) Roland Dobbins (Jul 24)
- RE: DDoS using port 0 and 53 (DNS) Frank Bulk (Jul 24)
- Re: DDoS using port 0 and 53 (DNS) Jimmy Hess (Jul 24)
- Re: DDoS using port 0 and 53 (DNS) sthaug (Jul 24)
- Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 24)
- Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 24)
- RE: DDoS using port 0 and 53 (DNS) Frank Bulk (Jul 25)
- Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 25)
- Re: DDoS using port 0 and 53 (DNS) Roland Dobbins (Jul 24)
- Re: DDoS using port 0 and 53 (DNS) John Kristoff (Jul 25)
- Re: DDoS using port 0 and 53 (DNS) Joel Maslak (Jul 25)
- Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 25)