Help with identifying a kind of attack.
Thom Youngblood
Hash: SHA1
I've been tracking an attack all day long, and have been frustrated
trying to figure out both what was being attacked, and how. Finally,
I realized it was *not* ICMP, UDP, or TCP.
#sh access-lists 151
Extended IP access list 151
permit icmp any 20.0.0.0 0.255.255.255 (1023 matches)
permit udp any 20.0.0.0 0.255.255.255 (4347 matches)
permit tcp any 20.0.0.0 0.255.255.255 (86444 matches)
deny ip any 20.0.0.0 0.255.255.255 (5547308 matches)
permit ip any any (4450563 matches)
In the above, notice the disparity? So, my question is...
What the hell kind of packet is it if it's not ICMP, UDP, or TCP?
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0 for non-commercial use <http://www.pgp.com>
iQA/AwUBNm2jB2fkezbzToVaEQIQQQCgllupf+cmax8w5n/RgYhlATz+BuQAn38r
Di2Ec9bI2Prrahm9yKp5rohS
=/qOm
-----END PGP SIGNATURE-----
Jon Green
> permit icmp any 20.0.0.0 0.255.255.255 (1023 matches)
> permit udp any 20.0.0.0 0.255.255.255 (4347 matches)
> permit tcp any 20.0.0.0 0.255.255.255 (86444 matches)
> deny ip any 20.0.0.0 0.255.255.255 (5547308 matches)
Fragments?
-Jon
-----------------------------------------------------------------
* Jon Green * "Life's a dance *
* jcg...@netins.net * you learn as you go" *
* Finger for Geek Code/PGP * *
* #include "std_disclaimer.h" * http://www.quadrunner.com/~jon *
-------------------------------------------------------------------------
Ehud Gavron
E
Nikos Mouat
Could be GRE, IGMP, anything really.. running netflow would probably let
you know real quick
nm
Andy McConnell
On Tue, 8 Dec 1998, Thom Youngblood wrote:
>I've been tracking an attack all day long, and have been frustrated
>trying to figure out both what was being attacked, and how. Finally,
>I realized it was *not* ICMP, UDP, or TCP.
>
>#sh access-lists 151
>Extended IP access list 151
> permit icmp any 20.0.0.0 0.255.255.255 (1023 matches)
> permit udp any 20.0.0.0 0.255.255.255 (4347 matches)
> permit tcp any 20.0.0.0 0.255.255.255 (86444 matches)
> deny ip any 20.0.0.0 0.255.255.255 (5547308 matches)
> permit ip any any (4450563 matches)
>
>
>In the above, notice the disparity? So, my question is...
>
>What the hell kind of packet is it if it's not ICMP, UDP, or TCP?
#access-list 123 permit ?
<0-255> An IP protocol number
eigrp Cisco's EIGRP routing protocol
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
igrp Cisco's IGRP routing protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
there's lots of protocols other than these... For example, IPv6 is
protocol number 41.
Also, try
permit ip any any log
! This will definitely tell you what you're seeing.
-Andy
--
Andy McConnell 真向練 安堵龍
NTT America IP Headquarters
Lazlo's Chinese Relativity Axiom: No matter how great your
triumphs or how tragic your defeats, approximately one billion
Chinese couldn't care less.
David O'Leary
maybe EGP?
:-/
dave
At 05:07 PM 12/8/98 -0500, Thom Youngblood wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>I've been tracking an attack all day long, and have been frustrated
>trying to figure out both what was being attacked, and how. Finally,
>I realized it was *not* ICMP, UDP, or TCP.
>
>#sh access-lists 151
>Extended IP access list 151
> permit icmp any 20.0.0.0 0.255.255.255 (1023 matches)
> permit udp any 20.0.0.0 0.255.255.255 (4347 matches)
> permit tcp any 20.0.0.0 0.255.255.255 (86444 matches)
> deny ip any 20.0.0.0 0.255.255.255 (5547308 matches)
> permit ip any any (4450563 matches)
>
>
>In the above, notice the disparity? So, my question is...
>
>What the hell kind of packet is it if it's not ICMP, UDP, or TCP?
>
>
Adam D. McKenna
packets that aren't using a particular transport protocol, maybe they could
get through (?)
--Adam
-----Original Message-----
From: Thom Youngblood <th...@cais.net>
To: North America Network Operators Group <na...@merit.edu>
Date: Tuesday, December 08, 1998 5:55 PM
Subject: Help with identifying a kind of attack.
:-----BEGIN PGP SIGNED MESSAGE-----
:
:
Henry Linneweh
Hash: SHA1
Could be other protocols such as IPX, SPX, NetBEUI and AppleTalk.
Henry R. Linneweh
- -----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2
iQA/AwUBNm3+seBkoZ0XTT12EQLDpQCg8YS/niBpz/0rW19iMMvKpKVUJC8AoIdL
0kLjVqfbSSxRLeNy2j4qubXY
=FmgT
- -----END PGP SIGNATURE-----
Daniel Senie
To see a what it is you're capturing, set up logging to a syslog host,
and add "log" to the end of the drop line
deny ip any 20.0.0.0 0.255.255.255 log
and you'll see the protocol number reported in the logging output. To
see a list of the port numbers, you can look at any IANA mirror. The
document you want is located at
http://www.amaranthnetworks.com/ietf/iana/assignments/protocol-numbers
on my mirror.
There are presently assignments from zero to 119. There are lots of
possibilities. OSPF is one that sometimes wanders over lines from
upstream providers to downstream sites, for example.
Dan
--
-----------------------------------------------------------------
Daniel Senie d...@senie.com
Amaranth Networks Inc. http://www.amaranthnetworks.com