On Jul 25, 2012, at 12:08 PM, Jimmy Hess wrote:
The packet is a non-initial fragment if and only if, the fragmentation offset is not set to zero. Port number's not a field you look at for that.
I understand all that, thanks. NetFlow reports source/dest port 0 for non-initial fragments. That, coupled with the description of the attack, makes it a near-certainty that the observed attack was a DNS reflection/amplification attack. Furthermore, most routers can't perform the type of filtering necessary to check deeply into the packet header in order to determine if a given packet is a well-formed non-initial fragment or not. And finally, many router implementations interpret source/dest port 0 as - yes, you guessed it - non-initial fragments. Hence, it's not a good idea to filter on source/dest port 0. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton