[195762] in North American Network Operators' Group
Re: Protocol 17 floods from Vietnam & Mexico?
daemon@ATHENA.MIT.EDU (i mawsog via NANOG)
Thu Sep 14 07:57:42 2017
X-Original-To: nanog@nanog.org
Date: Wed, 13 Sep 2017 15:59:20 +0000 (UTC)
To: Christopher Morrow <morrowc.lists@gmail.com>,
Krunal Shah <KShah@primustel.ca>
In-Reply-To: <CAL9jLab+s-cvxTYUNmbQOGt_SVa03v36JYKgBqXE8eSUJmVN5w@mail.gmail.com>
From: i mawsog via NANOG <nanog@nanog.org>
Reply-To: i mawsog <imawsog@yahoo.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
The port info is in the first =C2=A0fragmented packet as was mentioned else=
where. =C2=A0My guess is someone fragmenting large packets ( the mtu is set=
to =C2=A01464 or so). and =C2=A0the host is receiving those fragment, but =
it not =C2=A0reconstructing the packets. =C2=A0If =C2=A0it is possible to d=
o a tcpdump/wireshark etc , then the content of the packets can be very eas=
ily observed . =C2=A0
18:04:32.391082 IP 138-122-97-251.internet.static.ientc.mx >=C2=A0
umbrellix.net: ip-proto-17
18:04:32.391088 IP 138-122-97-251.internet.static.ientc.mx >=C2=A0
umbrellix.net: ip-proto-17
18:04:32.391110 IP 115.75.50.106.35180 > umbrellix.net.10454: UDP, bad=C2=
=A0
length 65500 > 1464
18:04:32.391145 IP 115.75.50.106 > umbrellix.net: ip-proto-17
18:04:32.391152 IP 115.75.50.106 > umbrellix.net: ip-proto-17
18:04:32.391158 IP 115.75.50.106 > umbrellix.net: ip-proto-17
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Krunal Shah <KShah@primustel.ca>=20
Cc: "nanog@nanog.org" <nanog@nanog.org>
Sent: Wednesday, September 13, 2017 7:59 AM
Subject: Re: Protocol 17 floods from Vietnam & Mexico?
=20
On Wed, Sep 13, 2017 at 9:59 AM, Krunal Shah <KShah@primustel.ca> wrote:
> It might be spoofed source IPs
>
>
if you are seeing large fragmented udp packets.. it's almost always not
spoofed.
or historically speaking anyway it's not been spoofed.
There are cases with dns reflection that include spoofing, but by the time
you see the large packet .. that's not spoofed it's coming from the dns
server talking to you, why it's talking to you is due to spoofing, but
that's outside (most times) your span of control.
>
> Krunal Shah
>
>
>
>
>
>
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Mark Andrews
> Sent: Tuesday, September 12, 2017 10:45 PM
> To: Large Hadron Collider
> Cc: nanog@nanog.org
> Subject: Re: Protocol 17 floods from Vietnam & Mexico?
>
>
> In message <08ed2903-c81c-aa2e-cd04-4fa117840d14@gmx.com>, Large Hadron
> Collider writes:
> > Yes, I'm being UDP flooded. I worked that out by grepping /etc/protocol=
s.
> >
> >
> > On 12/09/2017 18:24, Matt Harris wrote:
> > > Protocol 17 is UDP.=C2=A0 UDP is pretty common on the internet. Not s=
ure
> > > why source and destination ports aren't being shown by your tool
> > > there, might be malformed UDP packets designed to obscure themselves
> > > from or otherwise evade some intrusion detection or firewall systems.
>
> No ports are listed because they are not the initial fragment of the UDP
> packet.=C2=A0 Only the initial fragment that contains the UDP header has =
the
> ports reported.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 INTERNET: marka@isc.org
>
>
>
> --------------------------------
> This electronic message contains information from Primus Management ULC
> ("PRIMUS") , which may be legally privileged and confidential. The
> information is intended to be for the use of the individual(s) or entity
> named above. If you are not the intended recipient, be aware that any
> disclosure, copying, distribution or use of the contents of this
> information is prohibited. If you have received this electronic message i=
n
> error, please notify us by telephone or e-mail (to the number or address
> above) immediately. Any views, opinions or advice expressed in this
> electronic message are not necessarily the views, opinions or advice of
> PRIMUS. It is the responsibility of the recipient to ensure that any
> attachments are virus free and PRIMUS bears no responsibility for any los=
s
> or damage arising in any way from the use thereof.The term "PRIMUS"
> includes its affiliates.
> --------------------------------
> Pour la version en fran=C3=A7ais de ce message, veuillez voir
> http://www.primustel.ca/fr/legal/cs.htm
>
>
=20
