[FRnOG] [TECH] Le retour de la vengeance du fils du port 0

Thu, 26 Jul 2012 07:43:45 -0700 

À la réunion Frnog 19, le 29 juin dernier, certains se sont étonnés
des statistiques présentées dans le rapport de Nicolas Strina (Jaguar)
& Matthieu Texier (Arbor Networks) montrant plein d'attaques DoS sur
le « port zéro ». De mémoire, il n'y avait pas eu de réponse pendant
la réunion.

Comme l'explique sur Nanog un gourou d'Arbor, c'est un artefact de
Netflow, qui compte tous les fragments comme « port 0 ». Les attaques
en question étaient probablement du DNS.


---------------------------
Liste de diffusion du FRnOG
http://www.frnog.org/
--- Begin Message --- 

Frank Bulk <frnk...@iname.com> wrote:

>Unfortunately I don't have packet captures of any of the attacks, so I
>can't exam them for more detail, but wondering if there was some
>collective wisdom about blocking port 0.

Yes - don't do it, or you will break the Internet. These are non-initial 
fragments.

You or your customers are on the receiving end of DNS reflection/amplification 
attacks, and the large unsolicited DNS responses being used to packet you/them 
are fragmented. Use S/RTBH, flowspec, IDMS, and/or coordination with your 
peers/upstreams to block these attacks when they occur. 

Do *not* perform wholesale blocking of non-initial fragments (i.e., src/dst 
port 0), or you will have many unhappy customers and soon-to-be former 
customers. 

;>
-----------------------------------
Roland Dobbins <rdobb...@arbor.net>

--- End Message ---
--- Begin Message --- 
On Jul 25, 2012, at 12:08 PM, Jimmy Hess wrote:

> The packet is a non-initial fragment  if  and only if, the fragmentation 
> offset is not set to zero.  Port number's not a field you look at for that.

I understand all that, thanks.

NetFlow reports source/dest port 0 for non-initial fragments.  That, coupled 
with the description of the attack, makes it a near-certainty that the observed 
attack was a DNS reflection/amplification attack.

Furthermore, most routers can't perform the type of filtering necessary to 
check deeply into the packet header in order to determine if a given packet is 
a well-formed non-initial fragment or not. 

And finally, many router implementations interpret source/dest port 0 as - yes, 
you guessed it - non-initial fragments.  Hence, it's not a good idea to filter 
on source/dest port 0.

-----------------------------------------------------------------------
Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com>

          Luck is the residue of opportunity and design.

                       -- John Milton

--- End Message ---

Répondre à