[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Attacking on Source Port 0 (ZERO)

Subject: Attacking on Source Port 0 (ZERO)
From: rdobbins at arbor.net (Dobbins, Roland)
Date: Sun, 14 Oct 2012 13:43:58 +0000
In-reply-to: <CAGqGmqbTsnO3WD6HR=4oVX_2=YsdWaii9b7+yApZMd1zBaaSPQ@mail.gmail.com>
References: <CAGqGmqbTsnO3WD6HR=4oVX_2=YsdWaii9b7+yApZMd1zBaaSPQ@mail.gmail.com>

On Oct 14, 2012, at 4:48 PM, Shahab Vahabzadeh wrote:

> Does any body know what kind of attack can be come to port 0?

If it's protocol 0, instead of port 0, it's likely a packet-flooding DDoS attack.

If it's port 0, you may be incorrectly blocking non-initial fragments.  Alternately, it could represent a fragmented DDoS attack, either non-initial fragments fired directly against something on your network or as the result of a DNS reflection/amplification attack against something on your network.

The log fragment you posted doesn't provide enough detail to make an informed judgement.  Also, you should not place servers behind a stateful firewall, anyways.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

Follow-Ups:
- Attacking on Source Port 0 (ZERO)
  - From: sh.vahabzadeh at gmail.com (Shahab Vahabzadeh)

References:
- Attacking on Source Port 0 (ZERO)
  - From: sh.vahabzadeh at gmail.com (Shahab Vahabzadeh)

Prev by Date: best way to create entropy?
Next by Date: Is a /48 still the smallest thing you can route independently?
Previous by thread: Attacking on Source Port 0 (ZERO)
Next by thread: Attacking on Source Port 0 (ZERO)
Index(es):
- Date
- Thread