nanog mailing list archives
RE: DDoS using port 0 and 53 (DNS)
From: Drew Weaver <drew.weaver () thenap com>
Date: Wed, 25 Jul 2012 18:13:52 -0400
Another nice "emerging" tool [I say emerging because it's been around forever but nobody implements it] to deal with this is Flowspec, using flowspec you can instruct your Upstream to block traffic with much more granular characteristics. Instead of dropping all traffic to the IP address, you can drop (for example) udp dst 80 traffic to the IP address, or traffic from a particular source to a particular DST. It can also be initiated by your side without interaction from the upstream ISP. Just saying =) -Drew -----Original Message----- From: Frank Bulk [mailto:frnkblk () iname com] Sent: Tuesday, July 24, 2012 11:41 PM To: nanog () nanog org Subject: DDoS using port 0 and 53 (DNS) Several times this year our customers have suffered DDoS' ranging from 30 Mbps to over 1 Gbps, sometimes sustained, sometimes in a several minute spurts. They are targeted at one IP address, and most times our netflow tool identifies that a large percentage of the traffic is "port 0". The one from today had about 89% port 0 and 11% port 53 (DNS). If it happens repeatedly or continuously we just have our upstream provider blackhole the target (victim) IP address. I've been tempted to ask our upstream provider to block all traffic to us that's targeted to tcp or udp port 0 -- is that safe to do? I found two NANOG archives that talk about this http://www.nanog.org/mailinglist/mailarchives/old_archive/2005-04/msg00091.h tml http://www.gossamer-threads.com/lists/nanog/users/18990 and the first suggests that port zero could really be fragmented packets. Unfortunately I don't have packet captures of any of the attacks, so I can't exam them for more detail, but wondering if there was some collective wisdom about blocking port 0. Regards, Frank
Current thread:
- Re: DDoS using port 0 and 53 (DNS), (continued)
- Re: DDoS using port 0 and 53 (DNS) sthaug (Jul 24)
- Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 24)
- Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 24)
- RE: DDoS using port 0 and 53 (DNS) Frank Bulk (Jul 25)
- Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 25)
- Re: DDoS using port 0 and 53 (DNS) John Kristoff (Jul 25)
- Re: DDoS using port 0 and 53 (DNS) Joel Maslak (Jul 25)
- Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 25)
- Re: DDoS using port 0 and 53 (DNS) Mark Andrews (Jul 25)
- Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 25)