RE: DDoS using port 0 and 53 (DNS)

["Frank Bulk" <frnkblk () iname com>]

Thanks for confirming what was discussed in the NANOG archive.

I now have warm fuzzies knowing that all my protections are reactive. =)  I will be talking with our upstream provider 
to see if they can enable some better automation (because they run a larger shop).  I know they were able to null route 
in seconds, we just need a faster way to identify targets.  

Frank

-----Original Message-----
From: Roland Dobbins [mailto:rdobbins () arbor net] 
Sent: Tuesday, July 24, 2012 11:06 PM
To: Frank Bulk; nanog () nanog org
Subject: Re: DDoS using port 0 and 53 (DNS)

Frank Bulk <frnkblk () iname com> wrote:

> Unfortunately I don't have packet captures of any of the attacks, so I
> can't exam them for more detail, but wondering if there was some
> collective wisdom about blocking port 0.

Yes - don't do it, or you will break the Internet. These are non-initial fragments.

You or your customers are on the receiving end of DNS reflection/amplification attacks, and the large unsolicited DNS 
responses being used to packet you/them are fragmented. Use S/RTBH, flowspec, IDMS, and/or coordination with your 
peers/upstreams to block these attacks when they occur. 

Do *not* perform wholesale blocking of non-initial fragments (i.e., src/dst port 0), or you will have many unhappy 
customers and soon-to-be former customers. 

;>
-----------------------------------
Roland Dobbins <rdobbins () arbor net>