Frank Bulk <frnkblk@iname.com> wrote:
Unfortunately I don't have packet captures of any of the attacks, so I can't exam them for more detail, but wondering if there was some collective wisdom about blocking port 0.
Yes - don't do it, or you will break the Internet. These are non-initial fragments. You or your customers are on the receiving end of DNS reflection/amplification attacks, and the large unsolicited DNS responses being used to packet you/them are fragmented. Use S/RTBH, flowspec, IDMS, and/or coordination with your peers/upstreams to block these attacks when they occur. Do *not* perform wholesale blocking of non-initial fragments (i.e., src/dst port 0), or you will have many unhappy customers and soon-to-be former customers. ;> ----------------------------------- Roland Dobbins <rdobbins@arbor.net>