The port number of the Layer 4 connection cannot be determined without
executing IP fragment reassembly in that case.Routers normally
reassemble fragments they receive, if possible.
No, routers normally do *not* reassemble fragments. This is typically
done by hosts and firewalls.
Steinar
On Jul 25, 2012, at 12:08 PM, Jimmy Hess wrote:
The packet is a non-initial fragment if and only if, the fragmentation
offset is not set to zero. Port number's not a field you look at for that.
I understand all that, thanks.
NetFlow reports source/dest port 0 for non-initial fragments.
On Jul 25, 2012, at 1:13 PM, sth...@nethelp.no wrote:
No, routers normally do *not* reassemble fragments.
Absolutely correct. I missed this in the rest of the reply, good catch!
---
Roland Dobbins rdobb...@arbor.net //
On Tue, 24 Jul 2012 23:10:52 -0500
Jimmy Hess mysi...@gmail.com wrote:
It should be relatively safe to drop (non-fragment) packets to/from
port 0.
[...]
Some UDP applications will use zero as a source port when they do not
expect a response, which is how many one-way UDP-based apps operate,
On Wed, Jul 25, 2012 at 8:43 AM, John Kristoff j...@cymru.com wrote:
Some UDP applications will use zero as a source port when they do not
expect a response, which is how many one-way UDP-based apps operate,
though not all. This behavior is spelled out in the IETF RFC 768:
That would only be
port 0 and 53 (DNS)
On 7/24/12, Roland Dobbins rdobb...@arbor.net wrote:
Frank Bulk frnk...@iname.com wrote:
can't exam them for more detail, but wondering if there was some
collective wisdom about blocking port 0.
Yes - don't do it, or you will break the Internet. These are non-initial
Without
On Jul 25, 2012, at 9:52 PM, Joel Maslak wrote:
In addition to the fragments, these packets might also be non-TCP/UDP (ICMP,
GRE, 6to4 and other IP-IP, etc).
NetFlow will report the correct protocol number.
---
Roland
On Jul 25, 2012, at 10:27 PM, Frank Bulk wrote:
Can netflow _properly_ capture whether a packet is a fragment or not?
No.
If not, does IPFIX address this?
Yes.
But this is all a distraction. We are now down in the weeds.
Your customers were victims of a DNS reflection/amplification
Another nice emerging tool [I say emerging because it's been around forever
but nobody implements it] to deal with this is Flowspec, using flowspec you can
instruct your Upstream to block traffic with much more granular characteristics.
Instead of dropping all traffic to the IP address, you can
In message
CADb+6TD6EMN7i9G99hPrhBh2ck-NwRqUuoQ1ubmnsHYN=ix...@mail.gmail.com, Joel
Maslak writes:
On Wed, Jul 25, 2012 at 8:43 AM, John Kristoff j...@cymru.com wrote:
Some UDP applications will use zero as a source port when they do not
expect a response, which is how many one-way
On Jul 26, 2012, at 5:13 AM, Drew Weaver wrote:
Another nice emerging tool [I say emerging because it's been around forever
but nobody implements it] to deal with this is Flowspec, using flowspec you
can instruct your Upstream to block traffic with much more granular
characteristics.
Frank Bulk frnk...@iname.com wrote:
Unfortunately I don't have packet captures of any of the attacks, so I
can't exam them for more detail, but wondering if there was some
collective wisdom about blocking port 0.
Yes - don't do it, or you will break the Internet. These are non-initial
On 7/24/12, Frank Bulk frnk...@iname.com wrote:
Unfortunately I don't have packet captures of any of the attacks, so I
can't exam them for more detail, but wondering if there was some collective
wisdom about blocking port 0.
It should be relatively safe to drop (non-fragment) packets to/from
to
null route in seconds, we just need a faster way to identify targets.
Frank
-Original Message-
From: Roland Dobbins [mailto:rdobb...@arbor.net]
Sent: Tuesday, July 24, 2012 11:06 PM
To: Frank Bulk; nanog@nanog.org
Subject: Re: DDoS using port 0 and 53 (DNS)
Frank Bulk frnk...@iname.com
On 7/24/12, Roland Dobbins rdobb...@arbor.net wrote:
Frank Bulk frnk...@iname.com wrote:
can't exam them for more detail, but wondering if there was some
collective wisdom about blocking port 0.
Yes - don't do it, or you will break the Internet. These are non-initial
Without a packet capture to
15 matches
Mail list logo
