Re: DDoS using port 0 and 53 (DNS)

2012-07-25 Thread Dobbins, Roland
On Jul 26, 2012, at 5:13 AM, Drew Weaver wrote: > Another nice "emerging" tool [I say emerging because it's been around forever > but nobody implements it] to deal with this is Flowspec, using flowspec you > can instruct your Upstream to block traffic with much more granular > characteristics.

Re: DDoS using port 0 and 53 (DNS)

2012-07-25 Thread Mark Andrews
In message , Joel Maslak writes: > On Wed, Jul 25, 2012 at 8:43 AM, John Kristoff wrote: > > > Some UDP applications will use zero as a source port when they do not > > expect a response, which is how many one-way UDP-based apps operate, > > though not all. This behavior is spelled out in the

RE: DDoS using port 0 and 53 (DNS)

2012-07-25 Thread Drew Weaver
nk...@iname.com] Sent: Tuesday, July 24, 2012 11:41 PM To: nanog@nanog.org Subject: DDoS using port 0 and 53 (DNS) Several times this year our customers have suffered DDoS' ranging from 30 Mbps to over 1 Gbps, sometimes sustained, sometimes in a several minute spurts. They are targeted at one

Re: DDoS using port 0 and 53 (DNS)

2012-07-25 Thread Dobbins, Roland
On Jul 25, 2012, at 10:27 PM, Frank Bulk wrote: > Can netflow _properly_ "capture" whether a packet is a fragment or not? No. > If not, does IPFIX address this? Yes. But this is all a distraction. We are now down in the weeds. Your customers were victims of a DNS reflection/amplification a

Re: DDoS using port 0 and 53 (DNS)

2012-07-25 Thread Dobbins, Roland
On Jul 25, 2012, at 9:52 PM, Joel Maslak wrote: > In addition to the fragments, these packets might also be non-TCP/UDP (ICMP, > GRE, 6to4 and other IP-IP, etc). NetFlow will report the correct protocol number. --- Roland Dobb

RE: DDoS using port 0 and 53 (DNS)

2012-07-25 Thread Frank Bulk
: Re: DDoS using port 0 and 53 (DNS) On 7/24/12, Roland Dobbins wrote: > Frank Bulk wrote: >>can't exam them for more detail, but wondering if there was some >>collective wisdom about blocking port 0. > Yes - don't do it, or you will break the Internet. These are non-ini

Re: DDoS using port 0 and 53 (DNS)

2012-07-25 Thread Joel Maslak
On Wed, Jul 25, 2012 at 8:43 AM, John Kristoff wrote: > Some UDP applications will use zero as a source port when they do not > expect a response, which is how many one-way UDP-based apps operate, > though not all. This behavior is spelled out in the IETF RFC 768: That would only be applicable

Re: DDoS using port 0 and 53 (DNS)

2012-07-25 Thread John Kristoff
On Tue, 24 Jul 2012 23:10:52 -0500 Jimmy Hess wrote: > It should be relatively safe to drop (non-fragment) packets to/from > port 0. [...] Some UDP applications will use zero as a source port when they do not expect a response, which is how many one-way UDP-based apps operate, though not all.

Re: DDoS using port 0 and 53 (DNS)

2012-07-24 Thread Dobbins, Roland
On Jul 25, 2012, at 1:13 PM, wrote: > No, routers normally do *not* reassemble fragments. Absolutely correct. I missed this in the rest of the reply, good catch! --- Roland Dobbins //

Re: DDoS using port 0 and 53 (DNS)

2012-07-24 Thread Dobbins, Roland
On Jul 25, 2012, at 12:08 PM, Jimmy Hess wrote: > The packet is a non-initial fragment if and only if, the fragmentation > offset is not set to zero. Port number's not a field you look at for that. I understand all that, thanks. NetFlow reports source/dest port 0 for non-initial fragments.

Re: DDoS using port 0 and 53 (DNS)

2012-07-24 Thread sthaug
> The port number of the Layer 4 connection cannot be determined without > executing IP fragment reassembly in that case.Routers normally > reassemble fragments they receive, if possible. No, routers normally do *not* reassemble fragments. This is typically done by hosts and firewalls. Steina

Re: DDoS using port 0 and 53 (DNS)

2012-07-24 Thread Jimmy Hess
On 7/24/12, Roland Dobbins wrote: > Frank Bulk wrote: >>can't exam them for more detail, but wondering if there was some >>collective wisdom about blocking port 0. > Yes - don't do it, or you will break the Internet. These are non-initial Without a packet capture to look at, that's really just a

RE: DDoS using port 0 and 53 (DNS)

2012-07-24 Thread Frank Bulk
null route in seconds, we just need a faster way to identify targets. Frank -Original Message- From: Roland Dobbins [mailto:rdobb...@arbor.net] Sent: Tuesday, July 24, 2012 11:06 PM To: Frank Bulk; nanog@nanog.org Subject: Re: DDoS using port 0 and 53 (DNS) Frank Bulk wrote

Re: DDoS using port 0 and 53 (DNS)

2012-07-24 Thread Jimmy Hess
On 7/24/12, Frank Bulk wrote: > Unfortunately I don't have packet captures of any of the attacks, so I > can't exam them for more detail, but wondering if there was some collective > wisdom about blocking port 0. It should be relatively safe to drop (non-fragment) packets to/from port 0. If I

Re: DDoS using port 0 and 53 (DNS)

2012-07-24 Thread Roland Dobbins
Frank Bulk wrote: >Unfortunately I don't have packet captures of any of the attacks, so I >can't exam them for more detail, but wondering if there was some >collective wisdom about blocking port 0. Yes - don't do it, or you will break the Internet. These are non-initial fragments. You or you

DDoS using port 0 and 53 (DNS)

2012-07-24 Thread Frank Bulk
Several times this year our customers have suffered DDoS' ranging from 30 Mbps to over 1 Gbps, sometimes sustained, sometimes in a several minute spurts. They are targeted at one IP address, and most times our netflow tool identifies that a large percentage of the traffic is "port 0". The one fro