Re: Help with identifying a kind of attack.
tcp and udp are transport layer protocols. If someone is sending raw IP packets that aren't using a particular transport protocol, maybe they could get through (?) --Adam -----Original Message----- From: Thom Youngblood <thom@cais.net> To: North America Network Operators Group <nanog@merit.edu> Date: Tuesday, December 08, 1998 5:55 PM Subject: Help with identifying a kind of attack. :-----BEGIN PGP SIGNED MESSAGE----- :Hash: SHA1 : : :I've been tracking an attack all day long, and have been frustrated :trying to figure out both what was being attacked, and how. Finally, :I realized it was *not* ICMP, UDP, or TCP. : :#sh access-lists 151 :Extended IP access list 151 : permit icmp any 20.0.0.0 0.255.255.255 (1023 matches) : permit udp any 20.0.0.0 0.255.255.255 (4347 matches) : permit tcp any 20.0.0.0 0.255.255.255 (86444 matches) : deny ip any 20.0.0.0 0.255.255.255 (5547308 matches) : permit ip any any (4450563 matches) : : :In the above, notice the disparity? So, my question is... : :What the hell kind of packet is it if it's not ICMP, UDP, or TCP? : : :-----BEGIN PGP SIGNATURE----- :Version: PGPfreeware 6.0 for non-commercial use <http://www.pgp.com> : :iQA/AwUBNm2jB2fkezbzToVaEQIQQQCgllupf+cmax8w5n/RgYhlATz+BuQAn38r :Di2Ec9bI2Prrahm9yKp5rohS :=/qOm :-----END PGP SIGNATURE----- : :
- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Could be other protocols such as IPX, SPX, NetBEUI and AppleTalk. Henry R. Linneweh - -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.0.2 iQA/AwUBNm3+seBkoZ0XTT12EQLDpQCg8YS/niBpz/0rW19iMMvKpKVUJC8AoIdL 0kLjVqfbSSxRLeNy2j4qubXY =FmgT - -----END PGP SIGNATURE----- "Adam D. McKenna" wrote:
Depending on how your upstream is set up, it could be OSPF, for example. To see a what it is you're capturing, set up logging to a syslog host, and add "log" to the end of the drop line deny ip any 20.0.0.0 0.255.255.255 log and you'll see the protocol number reported in the logging output. To see a list of the port numbers, you can look at any IANA mirror. The document you want is located at http://www.amaranthnetworks.com/ietf/iana/assignments/protocol-numbers on my mirror. There are presently assignments from zero to 119. There are lots of possibilities. OSPF is one that sometimes wanders over lines from upstream providers to downstream sites, for example. Dan -- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranthnetworks.com
participants (3)
-
Adam D. McKenna
-
Daniel Senie
-
Henry Linneweh