nanog mailing list archives
DDoS using port 0 and 53 (DNS)
From: "Frank Bulk" <frnkblk () iname com>
Date: Tue, 24 Jul 2012 22:40:34 -0500
Several times this year our customers have suffered DDoS' ranging from 30 Mbps to over 1 Gbps, sometimes sustained, sometimes in a several minute spurts. They are targeted at one IP address, and most times our netflow tool identifies that a large percentage of the traffic is "port 0". The one from today had about 89% port 0 and 11% port 53 (DNS). If it happens repeatedly or continuously we just have our upstream provider blackhole the target (victim) IP address. I've been tempted to ask our upstream provider to block all traffic to us that's targeted to tcp or udp port 0 -- is that safe to do? I found two NANOG archives that talk about this http://www.nanog.org/mailinglist/mailarchives/old_archive/2005-04/msg00091.h tml http://www.gossamer-threads.com/lists/nanog/users/18990 and the first suggests that port zero could really be fragmented packets. Unfortunately I don't have packet captures of any of the attacks, so I can't exam them for more detail, but wondering if there was some collective wisdom about blocking port 0. Regards, Frank
Current thread:
- DDoS using port 0 and 53 (DNS) Frank Bulk (Jul 24)
- Re: DDoS using port 0 and 53 (DNS) Roland Dobbins (Jul 24)
- RE: DDoS using port 0 and 53 (DNS) Frank Bulk (Jul 24)
- Re: DDoS using port 0 and 53 (DNS) Jimmy Hess (Jul 24)
- Re: DDoS using port 0 and 53 (DNS) sthaug (Jul 24)
- Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 24)
- Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 24)
- RE: DDoS using port 0 and 53 (DNS) Frank Bulk (Jul 25)
- Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 25)
- Re: DDoS using port 0 and 53 (DNS) Roland Dobbins (Jul 24)
- Re: DDoS using port 0 and 53 (DNS) John Kristoff (Jul 25)