RE: DDoS using port 0 and 53 (DNS)

[Drew Weaver <drew.weaver () thenap com>]

Another nice "emerging" tool [I say emerging because it's been around forever but nobody implements it] to deal with 
this is Flowspec, using flowspec you can instruct your Upstream to block traffic with much more granular 
characteristics.

Instead of dropping all traffic to the IP address, you can drop (for example) udp dst 80 traffic to the IP address, or 
traffic from a particular source to a particular DST.

It can also be initiated by your side without interaction from the upstream ISP.

Just saying =)

-Drew

-----Original Message-----
From: Frank Bulk [mailto:frnkblk () iname com] 
Sent: Tuesday, July 24, 2012 11:41 PM
To: nanog () nanog org
Subject: DDoS using port 0 and 53 (DNS)

Several times this year our customers have suffered DDoS' ranging from 30 Mbps to over 1 Gbps, sometimes sustained, 
sometimes in a several minute spurts.  They are targeted at one IP address, and most times our netflow tool identifies 
that a large percentage of the traffic is "port 0".  The one from today had about 89% port 0 and 11% port 53 (DNS).  If 
it happens repeatedly or continuously we just have our upstream provider blackhole the target (victim) IP address.

I've been tempted to ask our upstream provider to block all traffic to us that's targeted to tcp or udp port 0 -- is 
that safe to do?  I found two NANOG archives that talk about this 
http://www.nanog.org/mailinglist/mailarchives/old_archive/2005-04/msg00091.h
tml
http://www.gossamer-threads.com/lists/nanog/users/18990
and the first suggests that port zero could really be fragmented packets.

Unfortunately I don't have packet captures of any of the attacks, so I can't exam them for more detail, but wondering 
if there was some collective wisdom about blocking port 0.

Regards,

Frank