In message <CADb+6TD6EMN7i9G99hPrhBh2ck-NwRqUuoQ1ubmnsHYN=iXAkg@mail.gmail.com>, Joel Maslak writes:
On Wed, Jul 25, 2012 at 8:43 AM, John Kristoff <jtk@cymru.com> wrote:
Some UDP applications will use zero as a source port when they do not expect a response, which is how many one-way UDP-based apps operate, though not all. This behavior is spelled out in the IETF RFC 768:
That would only be applicable if the box was expecting to receive UDP and not send a response. I'm not sure I can think of anything but specialized, vertical applications that would have that behavior with port zero (syslog and SNMP traps send without expecting a response, but they don't use port zero in any implementation I've seen, and neither is generally allowed to be received from the internet at large).
In addition to the fragments, these packets might also be non-TCP/UDP (ICMP, GRE, 6to4 and other IP-IP, etc). If the host doesn't expect to receive large UDP packets, you can block UDP fragments. Note that recursive DNS servers would need UDP fragments (well, if you want to do large DNS packets - if you set the right options, you can turn that off). But if you aren't generally providing UDP services, blocking UDP packets, especially to stop an attack, wouldn't hurt (you can also block anything with the MF bit set). If you block these fragments at your provider's router, and it is a DNS amplification attack, you're problems are probably solved until the hacker figures it out. Just make sure you think of things like recursive DNS and other applications that may be using UDP fragments.
Actually *all* IPv6 node are supposed to support EDNS so *all* IPv6 hosts should be expecting to receive fragmented UDP for DNS. Add to that all hosts that do DNSSEC validation in the stub resolver / application. With DANE this will be any host with a web browser. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org