[174122] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: where to go to understand DDoS attack vector

daemon@ATHENA.MIT.EDU (Roland Dobbins)
Tue Aug 26 09:58:23 2014

X-Original-To: nanog@nanog.org
From: Roland Dobbins <rdobbins@arbor.net>
In-Reply-To: <7f2ce6cba805dc1fb6cd55d5416ca7c7@mail.gmail.com>
Date: Tue, 26 Aug 2014 20:58:08 +0700
To: "nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org


On Aug 26, 2014, at 8:37 PM, John York <johny@griffintechnology.com> =
wrote:

> In this case, 17 is both the protocol and port number. Confusing =
coincidence :)

Not in this output which the OP sent to the list:

> 8:33:58.482193 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto =
UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
>                0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c =
E.....@.8 <mailto:E.....@.8>.....;.
>                0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 =
@^....i.....C...
>                0x0020: 0000 0000 0000 0000 0000 0000 0000       =
..............


> 18:33:58.482193 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto =
UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
>                0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c =
E.....@.8 <mailto:E.....@.8>.....;.
>                0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 =
@^....i.....C...
>                0x0020: 0000 0000 0000 0000 0000 0000 0000       =
..............
> 18:33:58.484625 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto =
UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
>                0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c =
E.....@.8 <mailto:E.....@.8>.....;.
>                0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 =
@^....i.....C...
>                0x0020: 0000 0000 0000 0000 0000 0000 0000       =
..............
> 18:33:58.486137 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto =
UDP (17), length 29) x.x.x.x.2072 > x.x.x.x.27015: UDP, length 1
>                0x0000: 4500 001d 0000 4000 3811 088c cf9a 3b8c =
E.....@.8 <mailto:E.....@.8>.....;.
>                0x0010: 405e eebf 0818 6987 0009 10f8 4300 0000 =
@^....i.....C...
>                0x0020: 0000 0000 0000 0000 0000 0000 0000       =
..............

Source port 2072, destination port 27015.

----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>

                   Equo ne credite, Teucri.

    		   	  -- Laoco=F6n
home help back first fref pref prev next nref lref last post