Protocol 17 floods from Vietnam & Mexico?
18:04:32.391082 IP 138-122-97-251.internet.static.ientc.mx > umbrellix.net: ip-proto-17 18:04:32.391088 IP 138-122-97-251.internet.static.ientc.mx > umbrellix.net: ip-proto-17 18:04:32.391110 IP 115.75.50.106.35180 > umbrellix.net.10454: UDP, bad length 65500 > 1464 18:04:32.391145 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391152 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391158 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391164 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391170 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391176 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391182 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391188 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391194 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391199 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391205 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391211 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391217 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391223 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391229 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391234 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391248 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391255 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391261 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391266 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391272 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391278 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391284 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391289 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391295 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391313 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391319 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391325 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391331 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391336 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391342 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391348 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391354 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391367 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391374 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391379 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391385 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391391 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391396 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391402 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391408 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391414 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391420 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391426 IP 115.75.50.106 > umbrellix.net: ip-proto-17 Some stupidity has me wondering... protocol 17? Huh? Is this some attempt to exploit me while at the same time flooding me at over 800Mbit/s? Needless to say, I've shut my computer down to avoid going over my data allowance.
Protocol 17 likely refers to UDP. https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Large Hadron Collider Sent: Wednesday, 13 September 2017 11:08 AM To: nanog@nanog.org Subject: Protocol 17 floods from Vietnam & Mexico? 18:04:32.391082 IP 138-122-97-251.internet.static.ientc.mx > umbrellix.net: ip-proto-17 18:04:32.391088 IP 138-122-97-251.internet.static.ientc.mx > umbrellix.net: ip-proto-17 18:04:32.391110 IP 115.75.50.106.35180 > umbrellix.net.10454: UDP, bad length 65500 > 1464 18:04:32.391145 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391152 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391158 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391164 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391170 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391176 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391182 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391188 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391194 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391199 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391205 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391211 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391217 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391223 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391229 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391234 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391248 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391255 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391261 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391266 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391272 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391278 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391284 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391289 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391295 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391313 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391319 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391325 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391331 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391336 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391342 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391348 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391354 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391367 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391374 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391379 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391385 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391391 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391396 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391402 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391408 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391414 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391420 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391426 IP 115.75.50.106 > umbrellix.net: ip-proto-17 Some stupidity has me wondering... protocol 17? Huh? Is this some attempt to exploit me while at the same time flooding me at over 800Mbit/s? Needless to say, I've shut my computer down to avoid going over my data allowance.
Protocol 17 == UDP. These are just very big (65500 byte) UDP packets which have been fragmented. Somebody need to teach that packet analyser that UDP packets can be this big over IPv4 and bigger still if you are using IPv6 jumbo packets. Mark In message <1bf07b56-f71c-1fec-bfd2-386a67c2b138@gmx.com>, Large Hadron Collider writes:
18:04:32.391082 IP 138-122-97-251.internet.static.ientc.mx > umbrellix.net: ip-proto-17 18:04:32.391088 IP 138-122-97-251.internet.static.ientc.mx > umbrellix.net: ip-proto-17 18:04:32.391110 IP 115.75.50.106.35180 > umbrellix.net.10454: UDP, bad length 65500 > 1464 18:04:32.391145 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391152 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391158 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391164 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391170 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391176 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391182 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391188 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391194 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391199 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391205 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391211 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391217 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391223 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391229 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391234 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391248 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391255 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391261 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391266 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391272 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391278 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391284 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391289 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391295 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391313 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391319 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391325 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391331 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391336 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391342 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391348 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391354 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391367 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391374 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391379 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391385 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391391 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391396 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391402 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391408 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391414 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391420 IP 115.75.50.106 > umbrellix.net: ip-proto-17 18:04:32.391426 IP 115.75.50.106 > umbrellix.net: ip-proto-17
Some stupidity has me wondering... protocol 17? Huh?
Is this some attempt to exploit me while at the same time flooding me at over 800Mbit/s?
Needless to say, I've shut my computer down to avoid going over my data allowance. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
participants (3)
-
Large Hadron Collider -
Mark Andrews -
Matthew Smee