-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've been tracking an attack all day long, and have been frustrated trying to figure out both what was being attacked, and how. Finally, I realized it was *not* ICMP, UDP, or TCP. #sh access-lists 151 Extended IP access list 151 permit icmp any 20.0.0.0 0.255.255.255 (1023 matches) permit udp any 20.0.0.0 0.255.255.255 (4347 matches) permit tcp any 20.0.0.0 0.255.255.255 (86444 matches) deny ip any 20.0.0.0 0.255.255.255 (5547308 matches) permit ip any any (4450563 matches) In the above, notice the disparity? So, my question is... What the hell kind of packet is it if it's not ICMP, UDP, or TCP? -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0 for non-commercial use <http://www.pgp.com> iQA/AwUBNm2jB2fkezbzToVaEQIQQQCgllupf+cmax8w5n/RgYhlATz+BuQAn38r Di2Ec9bI2Prrahm9yKp5rohS =/qOm -----END PGP SIGNATURE-----
maybe EGP? :-/ dave At 05:07 PM 12/8/98 -0500, Thom Youngblood wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I've been tracking an attack all day long, and have been frustrated trying to figure out both what was being attacked, and how. Finally, I realized it was *not* ICMP, UDP, or TCP.
#sh access-lists 151 Extended IP access list 151 permit icmp any 20.0.0.0 0.255.255.255 (1023 matches) permit udp any 20.0.0.0 0.255.255.255 (4347 matches) permit tcp any 20.0.0.0 0.255.255.255 (86444 matches) deny ip any 20.0.0.0 0.255.255.255 (5547308 matches) permit ip any any (4450563 matches)
In the above, notice the disparity? So, my question is...
What the hell kind of packet is it if it's not ICMP, UDP, or TCP?
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0 for non-commercial use <http://www.pgp.com>
iQA/AwUBNm2jB2fkezbzToVaEQIQQQCgllupf+cmax8w5n/RgYhlATz+BuQAn38r Di2Ec9bI2Prrahm9yKp5rohS =/qOm -----END PGP SIGNATURE-----
On Tue, 8 Dec 1998 17:07:57 -0500, thom@cais.net writes:
permit icmp any 20.0.0.0 0.255.255.255 (1023 matches) permit udp any 20.0.0.0 0.255.255.255 (4347 matches) permit tcp any 20.0.0.0 0.255.255.255 (86444 matches) deny ip any 20.0.0.0 0.255.255.255 (5547308 matches)
Fragments? -Jon ----------------------------------------------------------------- * Jon Green * "Life's a dance * * jcgreen@netins.net * you learn as you go" * * Finger for Geek Code/PGP * * * #include "std_disclaimer.h" * http://www.quadrunner.com/~jon * -------------------------------------------------------------------------
On Tue, 8 Dec 1998, Thom Youngblood wrote:
I've been tracking an attack all day long, and have been frustrated trying to figure out both what was being attacked, and how. Finally, I realized it was *not* ICMP, UDP, or TCP.
#sh access-lists 151 Extended IP access list 151 permit icmp any 20.0.0.0 0.255.255.255 (1023 matches) permit udp any 20.0.0.0 0.255.255.255 (4347 matches) permit tcp any 20.0.0.0 0.255.255.255 (86444 matches) deny ip any 20.0.0.0 0.255.255.255 (5547308 matches) permit ip any any (4450563 matches)
In the above, notice the disparity? So, my question is...
What the hell kind of packet is it if it's not ICMP, UDP, or TCP?
#access-list 123 permit ? <0-255> An IP protocol number eigrp Cisco's EIGRP routing protocol gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol igrp Cisco's IGRP routing protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling ospf OSPF routing protocol tcp Transmission Control Protocol udp User Datagram Protocol there's lots of protocols other than these... For example, IPv6 is protocol number 41. Also, try permit ip any any log ! This will definitely tell you what you're seeing. -Andy -- Andy McConnell 真向練 安堵龍 NTT America IP Headquarters Lazlo's Chinese Relativity Axiom: No matter how great your triumphs or how tragic your defeats, approximately one billion Chinese couldn't care less.
Could be GRE, IGMP, anything really.. running netflow would probably let you know real quick nm On Tue, 8 Dec 1998, Thom Youngblood wrote:
I've been tracking an attack all day long, and have been frustrated trying to figure out both what was being attacked, and how. Finally, I realized it was *not* ICMP, UDP, or TCP.
participants (6)
-
Andy McConnell -
David O'Leary -
Ehud Gavron -
Jon Green -
Nikos Mouat -
Thom Youngblood