2

Let's assume a hypothetical situation in which port 50000 of a machine was being bombarded with UDP packets. However, port 50000 on said machine isn't actually open (i.e. the machine is not listening on port 50000).

Would such a bombardment of packets result in a DDoS?

If so, why? If the port is closed, shouldn't the packets simply "bounce off" the machine as if nothing has happened?

Ash
  • 23
  • 1
  • 5

1 Answers1

6

Yes. Packets destined for your host will still be routed to your machine and your machine still has to process those requests. Even if the 'port is closed', the Kernel/Network Stack still have to validate the packet, the headers, the check-sum and then figure out that it doesn't support the request. In some cases, this also results in the output of a packet trying to tell the remote system that you're not accepting data on that port; combine this with many requests per second, and you could end up adding to the DDoS on your own box.

The only preventive measures are to load balance the system behind multiple layers to distribute the requests, or contact an upstream provider who can drop the traffic before it gets to your box.

Andrew
  • 2,142
  • 2
  • 19
  • 25
  • 4
    One note - if the port is on "DROP", much less inspection will likely happen. – Florin Asăvoaie Mar 20 '18 at 19:31
  • Is there any way of detecting packets that are "colliding" with closed ports? In other words, if data is being send to a closed `port 50000`, is there some application (similar to Wireshark) that can be used to detect these packets? – Ash Mar 20 '18 at 20:31
  • 1
    Most firewalls have a log option. Depending how much you want to log, (and assuming `iptables` since it's pretty common) you could insert a LOG all statement before your DROP statement. This should then add log entries as it drops the packets for those ports. You could also just use individual LOG statements per port you want logged, but make sure it's before the DROP all statement. – Andrew Mar 20 '18 at 20:35
  • 2
    I think theoretically this is accurate. But I think the DDoS comes from overwhelming the network connection, not by saturating the IP stack on the computer. In other words, if you have a 100mbps connection, a 100 mbps of traffic would saturate it and slow or halt other traffic. I doubt a firewall would have any trouble at all in handling the requests even on a lightly powered system. You’d probably fill up your hard drive and cause your own DDoS by logging this stuff before any significant load would be put on the system to drop packets. – Appleoddity Mar 21 '18 at 04:37