Re: DDoS using port 0 and 53 (DNS)

["Dobbins, Roland" <rdobbins () arbor net>]

On Jul 25, 2012, at 12:08 PM, Jimmy Hess wrote:

> The packet is a non-initial fragment  if  and only if, the fragmentation offset is not set to zero.  Port number's 
> not a field you look at for that.

I understand all that, thanks.

NetFlow reports source/dest port 0 for non-initial fragments.  That, coupled with the description of the attack, makes 
it a near-certainty that the observed attack was a DNS reflection/amplification attack.

Furthermore, most routers can't perform the type of filtering necessary to check deeply into the packet header in order 
to determine if a given packet is a well-formed non-initial fragment or not. 

And finally, many router implementations interpret source/dest port 0 as - yes, you guessed it - non-initial fragments. 
 Hence, it's not a good idea to filter on source/dest port 0.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

          Luck is the residue of opportunity and design.

                       -- John Milton