Following up on yesterdays diary on an increase in Protocol 47 traffic. Thanks to everyone who sent the ISC PCAPs and more information.
Current speculation is the Protocol 47 uptick is backscatter from a DDOS containing GRE traffic and using random source IPs.
While all of the packets appear to be IPv4packets encapsulated in GRE, there are two flavors of packets involved. The smaller packets are consistently 66 bytes long and contain" />
The larger packets vary in size, but are typically in the high 500s of bytes and contain512 bytes of data. " />
While the sources show IPs from over 50 countries, about 55% of the source IPs in my data were from Taiwan, presumably these IPs are the primary attack targets. ">">143.208.145.62
">">However I can find no indication of an ongoing DDOSagainst Taiwan or Chungwa Telecom.">">So while we have gotten further into the mystery, we still dont have the whole picture. Anybody have any ideas, or further information? ">">
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.