Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Port 0 DDOS InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Port 0 DDOS

Published: 2013-11-22
Last Updated: 2013-11-24 00:23:34 UTC
by Rick Wanner (Version: 1)
2 comment(s)

Following on the stories of amplification DDOS attacks using Chargen, and stories of "booters" via Brian Kreb's,  I am watching with interest the increase in port 0 amplification DDOS attacks.

Typically these are relatively short duration, 15 to 30 minute, attacks aimed at a residential IP address and my speculation is that these are targeted at "booting" participants in  RPG games. On the networks I have access to these are usually in the 300 Mbps to 2.0 Gbps range. The volume would most certainly be very debilitating for the target, and sometimes their neighbors, but for the most part doesn't cause overall problems for the network.  The sources are very diverse.

Unfortunately I do not have an ability to get packets of any of  these attacks, but I am questioning whether this traffic is actually destined for port 0 or if it is actually fragmentation attacks that are being interpreted as source port 0 traffic.

Jim Macleod at lovemytool.com does an excellent job of describing what I am suspecting.

If anyone has packets available from one of these attacks, I would love to review them.

 

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

2 comment(s)
Diary Archives