On Aug 18, 2009, at 12:01 PM, Philip D'Ath wrote:
This is a bit of a long shot, but is anyone in NZ observing an attempted DOS attack using ESP traffic (in particular IP protocol 50)?
I'm not in NZ and am not observing one now, but do note that protocol 50 (and protocol 0, & 254, and everything in between) is sometimes used by attackers to bypass ACLs/firewall rules, because folks often don't think about anything other than TCP, UDP, and ICMP. Note that if it is in fact a DDoS attack, it's likely not well-formed ESP - rather, the protocol number in the header is simply set to 50 in order to bypass filtering per the above. So, it's not a strange idea, at all. ;> ----------------------------------------------------------------------- Roland Dobbins <rdobbins(a)arbor.net> // <http://www.arbornetworks.com> Unfortunately, inefficiency scales really well. -- Kevin Lawton