Protocol 17 floods from Vietnam & Mexico?
Large Hadron Collider
large.hadron.collider at gmx.com
Wed Sep 13 02:20:13 UTC 2017
Yes, I'm being UDP flooded. I worked that out by grepping /etc/protocols.
On 12/09/2017 18:24, Matt Harris wrote:
> Protocol 17 is UDP. UDP is pretty common on the internet. Not sure
> why source and destination ports aren't being shown by your tool
> there, might be malformed UDP packets designed to obscure themselves
> from or otherwise evade some intrusion detection or firewall systems.
>
>
> On Tue, Sep 12, 2017 at 8:08 PM, Large Hadron Collider
> <large.hadron.collider at gmx.com <mailto:large.hadron.collider at gmx.com>>
> wrote:
>
> 18:04:32.391082 IP 138-122-97-251.internet.static.ientc.mx
> <http://138-122-97-251.internet.static.ientc.mx> > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391088 IP 138-122-97-251.internet.static.ientc.mx
> <http://138-122-97-251.internet.static.ientc.mx> > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391110 IP 115.75.50.106.35180 > umbrellix.net.10454: UDP,
> bad length 65500 > 1464
> 18:04:32.391145 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391152 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391158 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391164 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391170 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391176 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391182 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391188 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391194 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391199 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391205 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391211 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391217 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391223 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391229 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391234 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391248 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391255 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391261 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391266 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391272 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391278 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391284 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391289 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391295 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391313 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391319 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391325 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391331 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391336 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391342 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391348 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391354 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391367 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391374 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391379 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391385 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391391 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391396 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391402 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391408 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391414 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391420 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
> 18:04:32.391426 IP 115.75.50.106 > umbrellix.net
> <http://umbrellix.net>: ip-proto-17
>
> Some stupidity has me wondering... protocol 17? Huh?
>
>
> Is this some attempt to exploit me while at the same time flooding
> me at over 800Mbit/s?
>
>
> Needless to say, I've shut my computer down to avoid going over my
> data allowance.
>
>
>
>
> --
> Matt Harris - Chief Security Officer
> Main: +1 855.696.3834 ext 103
> Mobile: +1 908.590.9472
> Email:matt at netfire.net <mailto:matt at netfire.net>
More information about the NANOG
mailing list