Re: DDoS using port 0 and 53 (DNS)

On Jul 25, 2012, at 1:13 PM, wrote: > No, routers normally do *not* reassemble fragments. Absolutely correct. I missed this in the rest of the reply, good catch! --- Roland Dobbins //

Re: DDoS using port 0 and 53 (DNS)

On Jul 25, 2012, at 12:08 PM, Jimmy Hess wrote: > The packet is a non-initial fragment if and only if, the fragmentation > offset is not set to zero. Port number's not a field you look at for that. I understand all that, thanks. NetFlow reports source/dest port 0 for non-initial fragments.

Re: DDoS using port 0 and 53 (DNS)

> The port number of the Layer 4 connection cannot be determined without > executing IP fragment reassembly in that case.Routers normally > reassemble fragments they receive, if possible. No, routers normally do *not* reassemble fragments. This is typically done by hosts and firewalls. Steina

Re: DDoS using port 0 and 53 (DNS)

On 7/24/12, Roland Dobbins wrote: > Frank Bulk wrote: >>can't exam them for more detail, but wondering if there was some >>collective wisdom about blocking port 0. > Yes - don't do it, or you will break the Internet. These are non-initial Without a packet capture to look at, that's really just a

RE: DDoS using port 0 and 53 (DNS)

Thanks for confirming what was discussed in the NANOG archive. I now have warm fuzzies knowing that all my protections are reactive. =) I will be talking with our upstream provider to see if they can enable some better automation (because they run a larger shop). I know they were able to null

Re: DDoS using port 0 and 53 (DNS)

On 7/24/12, Frank Bulk wrote: > Unfortunately I don't have packet captures of any of the attacks, so I > can't exam them for more detail, but wondering if there was some collective > wisdom about blocking port 0. It should be relatively safe to drop (non-fragment) packets to/from port 0. If I

Re: DDoS using port 0 and 53 (DNS)

Frank Bulk wrote: >Unfortunately I don't have packet captures of any of the attacks, so I >can't exam them for more detail, but wondering if there was some >collective wisdom about blocking port 0. Yes - don't do it, or you will break the Internet. These are non-initial fragments. You or you

DDoS using port 0 and 53 (DNS)

Several times this year our customers have suffered DDoS' ranging from 30 Mbps to over 1 Gbps, sometimes sustained, sometimes in a several minute spurts. They are targeted at one IP address, and most times our netflow tool identifies that a large percentage of the traffic is "port 0". The one fro

Re: url category database, flat file lists, or API

Looks like urlfilterdb isn't completely free but might be a solution. I forgot the SQUID might have builtin classifications so I need to look at that. -- Thanks, Joe On Tue, Jul 24, 2012 at 6:32 PM, Christopher Morrow wrote: > from this search, fyi: > > https://www.google.com/search?q=squid+url+

Re: url category database, flat file lists, or API

from this search, fyi: https://www.google.com/search?q=squid+url+filtering+classification On Tue, Jul 24, 2012 at 9:32 PM, Christopher Morrow wrote: > http://www.urlfilterdb.com/en/support/faq.html > > On Tue, Jul 24, 2012 at 9:30 PM, JoeSox wrote: >> Does anyone know of a open source database,

Re: url category database, flat file lists, or API

http://www.urlfilterdb.com/en/support/faq.html On Tue, Jul 24, 2012 at 9:30 PM, JoeSox wrote: > Does anyone know of a open source database, flat file lists, or API > that allows me to feed a url and have it return a category > classification > For example, something like this > http://www1.k9webp

url category database, flat file lists, or API

Does anyone know of a open source database, flat file lists, or API that allows me to feed a url and have it return a category classification For example, something like this http://www1.k9webprotection.com/support/check-site-rating I know of dansguardian but it doesn't have battlefield.com as a g

Contact from slb.com/Schlumberger Limited/Dexanet

Would a security contact from Schlumberger Limited please contact me off-list? Sorry for the noise. Nathan Eisenberg

Re: Comcast cable modem software update push

Well I'm not sure if it was the squeaky wheel getting the grease or just good timing, but I'm happy to report that this morning my Motorola SB6121 grabbed the firmware update and is now running the latest code. I'm fairly confident this will resolve my lockups. Thanks, Nanog! -Dave On Sun, Jul 2