nanog mailing list archives

Re: DDoS using port 0 and 53 (DNS)

From: John Kristoff <jtk () cymru com>
Date: Wed, 25 Jul 2012 09:43:43 -0500

On Tue, 24 Jul 2012 23:10:52 -0500
Jimmy Hess <mysidia () gmail com> wrote:

It should be relatively safe to drop  (non-fragment)  packets to/from
port 0.

[...]

Some UDP applications will use zero as a source port when they do not
expect a response, which is how many one-way UDP-based apps operate,
though not all.  This behavior is spelled out in the IETF RFC 768:

  "Source Port is an optional field, when meaningful, it indicates the
  port of the sending  process,  and may be assumed  to be the port to
  which a reply should  be addressed  in the absence of any other
  information.  If not used, a value of zero is inserted."

John

Current thread:

DDoS using port 0 and 53 (DNS) Frank Bulk (Jul 24)
- Re: DDoS using port 0 and 53 (DNS) Roland Dobbins (Jul 24)
  - RE: DDoS using port 0 and 53 (DNS) Frank Bulk (Jul 24)
  - Re: DDoS using port 0 and 53 (DNS) Jimmy Hess (Jul 24)
    - Re: DDoS using port 0 and 53 (DNS) sthaug (Jul 24)
    - Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 24)
    - Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 24)
    - RE: DDoS using port 0 and 53 (DNS) Frank Bulk (Jul 25)
    - Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 25)
- Re: DDoS using port 0 and 53 (DNS) Jimmy Hess (Jul 24)
  - Re: DDoS using port 0 and 53 (DNS) John Kristoff (Jul 25)
    - Re: DDoS using port 0 and 53 (DNS) Joel Maslak (Jul 25)
    - Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 25)
    - Re: DDoS using port 0 and 53 (DNS) Mark Andrews (Jul 25)
- RE: DDoS using port 0 and 53 (DNS) Drew Weaver (Jul 25)
  - Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 25)