ISC reader Scott has indicated that starting on December 27th he has seen a significant increase in Protocol 47 traffic being denied by his firewalls. He has seen this trafficincreasing from a baseline of near zero to20,000 to 50,000 deniesper day. Protocol 47 traffic is not normally tracked by the ISC, so none of our sensors had detected this uptick. However a little investigation reveals that firewalls I have access to are also seeing this increase.">">is GRE (Generic Route Encapsulation) . It is commonly used as a Virtual Private Network(VPN). Essentially, GRE can be used to encapsulate any other">over IPv4. Sometimes it is used for IPv6 tunneling (instead of the more common IPv6 over IPv4,">41), and some anti-DDoS mitigation systems use it to route cleaned">I am showing this traffic originating from more than 100 unique sources. I would like to dig deeper into this, but unfortunately I dont have access to packet captures to take a closer look at the traffic. If you could let us know whether you are seeing the same thing, or better yet, have access to captures of this traffic, and could share it with us, it would be appreciated.
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.