Help with identifying a kind of attack.

Andy McConnell andym at
Tue Dec 8 23:03:09 UTC 1998

On Tue, 8 Dec 1998, Thom Youngblood wrote:

>I've been tracking an attack all day long, and have been frustrated
>trying to figure out both what was being attacked, and how.  Finally,
>I realized it was *not* ICMP, UDP, or TCP.
>#sh access-lists 151
>Extended IP access list 151
>    permit icmp any (1023 matches)
>    permit udp any (4347 matches)
>    permit tcp any (86444 matches)
>    deny   ip any (5547308 matches)
>    permit ip any any (4450563 matches)
>In the above, notice the disparity?  So, my question is...
>What the hell kind of packet is it if it's not ICMP, UDP, or TCP?

#access-list 123 permit ?
  <0-255>  An IP protocol number
  eigrp    Cisco's EIGRP routing protocol
  gre      Cisco's GRE tunneling
  icmp     Internet Control Message Protocol
  igmp     Internet Gateway Message Protocol
  igrp     Cisco's IGRP routing protocol
  ip       Any Internet Protocol
  ipinip   IP in IP tunneling
  nos      KA9Q NOS compatible IP over IP tunneling
  ospf     OSPF routing protocol
  tcp      Transmission Control Protocol
  udp      User Datagram Protocol

there's lots of protocols other than these... For example, IPv6 is
protocol number 41.

Also, try 
	permit ip any any log	
! This will definitely tell you what you're seeing.


Andy McConnell      真向練 安堵龍
NTT America IP Headquarters

Lazlo's Chinese Relativity Axiom:  No matter how great your
triumphs or how tragic your defeats, approximately one billion
Chinese couldn't care less.

More information about the NANOG mailing list