On Aug 18, 2009, at 12:01 PM, Philip D'Ath wrote:
This is a bit of a long shot, but is anyone in NZ observing an attempted DOS attack using ESP traffic (in particular IP protocol 50)?
I'm not in NZ and am not observing one now, but do note that protocol
50 (and protocol 0, & 254, and everything in between) is sometimes
used by attackers to bypass ACLs/firewall rules, because folks often
don't think about anything other than TCP, UDP, and ICMP.
Note that if it is in fact a DDoS attack, it's likely not well-formed
ESP - rather, the protocol number in the header is simply set to 50 in
order to bypass filtering per the above.
So, it's not a strange idea, at all.
;>
-----------------------------------------------------------------------
Roland Dobbins