Can netflow _properly_ "capture" whether a packet is a fragment or not? If not, does IPFIX address this? Frank -----Original Message----- From: Jimmy Hess [mailto:mysidia@gmail.com] Sent: Wednesday, July 25, 2012 12:08 AM To: Roland Dobbins Cc: Frank Bulk; nanog@nanog.org Subject: Re: DDoS using port 0 and 53 (DNS) On 7/24/12, Roland Dobbins <rdobbins@arbor.net> wrote:
Frank Bulk <frnkblk@iname.com> wrote:
can't exam them for more detail, but wondering if there was some collective wisdom about blocking port 0. Yes - don't do it, or you will break the Internet. These are non-initial
Without a packet capture to look at, that's really just a blind assumption. A port number of a non-initial fragment does not exist at all, because the Layer 4 info is unavailable in that case, something _might_ lie and say the port number is 0, but it should not -- there is no TCP header with any port numbers, the only fields available to check against on such packets are Layer 3 fields such as protocol, source, destination address. The port number of the Layer 4 connection cannot be determined without executing IP fragment reassembly in that case. Routers normally reassemble fragments they receive, if possible. An access list statement attempting to match against non-present Layer 4 information, should not work; on a stateful firewall, the presence of the rule might trigger a fragment reassembly, on a router, the non-applicable ACL entry referring to a non-existent port number will generally be ignored. A full capture should not be necessary. You determine if a packet is a fragment by examining the MF flag, bit 50, and fragmentation offset of the IPv4 header; bits 51 through 63. You only need to look at the first 8 bytes of the IP header. If the MF bit is set to 0, and the fragmentation offset is also all bits 0, then the packet is not part of a fragment. The packet is a non-initial fragment if and only if, the fragmentation offset is not set to zero. Port number's not a field you look at for that. -- -JH