Re: Protocol 17 floods from Vietnam & Mexico?
Yes, I'm being UDP flooded. I worked that out by grepping /etc/protocols. On 12/09/2017 18:24, Matt Harris wrote:
Protocol 17 is UDP. UDP is pretty common on the internet. Not sure why source and destination ports aren't being shown by your tool there, might be malformed UDP packets designed to obscure themselves from or otherwise evade some intrusion detection or firewall systems.
On Tue, Sep 12, 2017 at 8:08 PM, Large Hadron Collider <large.hadron.collider@gmx.com <mailto:large.hadron.collider@gmx.com>> wrote:
18:04:32.391082 IP 138-122-97-251.internet.static.ientc.mx <http://138-122-97-251.internet.static.ientc.mx> > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391088 IP 138-122-97-251.internet.static.ientc.mx <http://138-122-97-251.internet.static.ientc.mx> > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391110 IP 115.75.50.106.35180 > umbrellix.net.10454: UDP, bad length 65500 > 1464 18:04:32.391145 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391152 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391158 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391164 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391170 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391176 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391182 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391188 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391194 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391199 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391205 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391211 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391217 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391223 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391229 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391234 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391248 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391255 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391261 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391266 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391272 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391278 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391284 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391289 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391295 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391313 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391319 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391325 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391331 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391336 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391342 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391348 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391354 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391367 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391374 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391379 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391385 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391391 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391396 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391402 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391408 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391414 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391420 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17 18:04:32.391426 IP 115.75.50.106 > umbrellix.net <http://umbrellix.net>: ip-proto-17
Some stupidity has me wondering... protocol 17? Huh?
Is this some attempt to exploit me while at the same time flooding me at over 800Mbit/s?
Needless to say, I've shut my computer down to avoid going over my data allowance.
-- Matt Harris - Chief Security Officer Main: +1 855.696.3834 ext 103 Mobile: +1 908.590.9472 Email:matt@netfire.net <mailto:matt@netfire.net>
In message <08ed2903-c81c-aa2e-cd04-4fa117840d14@gmx.com>, Large Hadron Collider writes:
Yes, I'm being UDP flooded. I worked that out by grepping /etc/protocols.
On 12/09/2017 18:24, Matt Harris wrote:
Protocol 17 is UDP. UDP is pretty common on the internet. Not sure why source and destination ports aren't being shown by your tool there, might be malformed UDP packets designed to obscure themselves from or otherwise evade some intrusion detection or firewall systems.
No ports are listed because they are not the initial fragment of the UDP packet. Only the initial fragment that contains the UDP header has the ports reported. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
It might be spoofed source IPs Krunal Shah -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Mark Andrews Sent: Tuesday, September 12, 2017 10:45 PM To: Large Hadron Collider Cc: nanog@nanog.org Subject: Re: Protocol 17 floods from Vietnam & Mexico? In message <08ed2903-c81c-aa2e-cd04-4fa117840d14@gmx.com>, Large Hadron Collider writes:
Yes, I'm being UDP flooded. I worked that out by grepping /etc/protocols.
On 12/09/2017 18:24, Matt Harris wrote:
Protocol 17 is UDP. UDP is pretty common on the internet. Not sure why source and destination ports aren't being shown by your tool there, might be malformed UDP packets designed to obscure themselves from or otherwise evade some intrusion detection or firewall systems.
No ports are listed because they are not the initial fragment of the UDP packet. Only the initial fragment that contains the UDP header has the ports reported. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org -------------------------------- This electronic message contains information from Primus Management ULC ("PRIMUS") , which may be legally privileged and confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or e-mail (to the number or address above) immediately. Any views, opinions or advice expressed in this electronic message are not necessarily the views, opinions or advice of PRIMUS. It is the responsibility of the recipient to ensure that any attachments are virus free and PRIMUS bears no responsibility for any loss or damage arising in any way from the use thereof.The term "PRIMUS" includes its affiliates. -------------------------------- Pour la version en français de ce message, veuillez voir http://www.primustel.ca/fr/legal/cs.htm
On Wed, Sep 13, 2017 at 9:59 AM, Krunal Shah <KShah@primustel.ca> wrote:
It might be spoofed source IPs
if you are seeing large fragmented udp packets.. it's almost always not spoofed. or historically speaking anyway it's not been spoofed. There are cases with dns reflection that include spoofing, but by the time you see the large packet .. that's not spoofed it's coming from the dns server talking to you, why it's talking to you is due to spoofing, but that's outside (most times) your span of control.
Krunal Shah
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Mark Andrews Sent: Tuesday, September 12, 2017 10:45 PM To: Large Hadron Collider Cc: nanog@nanog.org Subject: Re: Protocol 17 floods from Vietnam & Mexico?
In message <08ed2903-c81c-aa2e-cd04-4fa117840d14@gmx.com>, Large Hadron Collider writes:
Yes, I'm being UDP flooded. I worked that out by grepping /etc/protocols.
On 12/09/2017 18:24, Matt Harris wrote:
Protocol 17 is UDP. UDP is pretty common on the internet. Not sure why source and destination ports aren't being shown by your tool there, might be malformed UDP packets designed to obscure themselves from or otherwise evade some intrusion detection or firewall systems.
No ports are listed because they are not the initial fragment of the UDP packet. Only the initial fragment that contains the UDP header has the ports reported.
Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
-------------------------------- This electronic message contains information from Primus Management ULC ("PRIMUS") , which may be legally privileged and confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or e-mail (to the number or address above) immediately. Any views, opinions or advice expressed in this electronic message are not necessarily the views, opinions or advice of PRIMUS. It is the responsibility of the recipient to ensure that any attachments are virus free and PRIMUS bears no responsibility for any loss or damage arising in any way from the use thereof.The term "PRIMUS" includes its affiliates. -------------------------------- Pour la version en français de ce message, veuillez voir http://www.primustel.ca/fr/legal/cs.htm
The port info is in the first fragmented packet as was mentioned elsewhere. My guess is someone fragmenting large packets ( the mtu is set to 1464 or so). and the host is receiving those fragment, but it not reconstructing the packets. If it is possible to do a tcpdump/wireshark etc , then the content of the packets can be very easily observed . 18:04:32.391082 IP 138-122-97-251.internet.static.ientc.mx > umbrellix.net: ip-proto-17 18:04:32.391088 IP 138-122-97-251.internet.static.ientc.mx > umbrellix.net: ip-proto-17 18:04:32.391110 IP 115.75.50.106.35180 > umbrellix.net.10454: UDP, bad length 65500 > 1464 18:04:32.391145 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391152 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391158 IP 115.75.50.106 > umbrellix.net: ip-proto-17 From: Christopher Morrow <morrowc.lists@gmail.com> To: Krunal Shah <KShah@primustel.ca> Cc: "nanog@nanog.org" <nanog@nanog.org> Sent: Wednesday, September 13, 2017 7:59 AM Subject: Re: Protocol 17 floods from Vietnam & Mexico? On Wed, Sep 13, 2017 at 9:59 AM, Krunal Shah <KShah@primustel.ca> wrote:
It might be spoofed source IPs
if you are seeing large fragmented udp packets.. it's almost always not spoofed. or historically speaking anyway it's not been spoofed. There are cases with dns reflection that include spoofing, but by the time you see the large packet .. that's not spoofed it's coming from the dns server talking to you, why it's talking to you is due to spoofing, but that's outside (most times) your span of control.
Krunal Shah
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Mark Andrews Sent: Tuesday, September 12, 2017 10:45 PM To: Large Hadron Collider Cc: nanog@nanog.org Subject: Re: Protocol 17 floods from Vietnam & Mexico?
In message <08ed2903-c81c-aa2e-cd04-4fa117840d14@gmx.com>, Large Hadron Collider writes:
Yes, I'm being UDP flooded. I worked that out by grepping /etc/protocols.
On 12/09/2017 18:24, Matt Harris wrote:
Protocol 17 is UDP. UDP is pretty common on the internet. Not sure why source and destination ports aren't being shown by your tool there, might be malformed UDP packets designed to obscure themselves from or otherwise evade some intrusion detection or firewall systems.
No ports are listed because they are not the initial fragment of the UDP packet. Only the initial fragment that contains the UDP header has the ports reported.
Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
-------------------------------- This electronic message contains information from Primus Management ULC ("PRIMUS") , which may be legally privileged and confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or e-mail (to the number or address above) immediately. Any views, opinions or advice expressed in this electronic message are not necessarily the views, opinions or advice of PRIMUS. It is the responsibility of the recipient to ensure that any attachments are virus free and PRIMUS bears no responsibility for any loss or damage arising in any way from the use thereof.The term "PRIMUS" includes its affiliates. -------------------------------- Pour la version en français de ce message, veuillez voir http://www.primustel.ca/fr/legal/cs.htm
participants (5)
-
Christopher Morrow
-
i mawsog
-
Krunal Shah
-
Large Hadron Collider
-
Mark Andrews