Help with identifying a kind of attack.

I've been tracking an attack all day long, and have been frustrated
trying to figure out both what was being attacked, and how. Finally,
I realized it was *not* ICMP, UDP, or TCP.

#sh access-lists 151
Extended IP access list 151
    permit icmp any (1023 matches)
    permit udp any (4347 matches)
    permit tcp any (86444 matches)
    deny ip any (5547308 matches)
    permit ip any any (4450563 matches)

In the above, notice the disparity? So, my question is...

What the hell kind of packet is it if it's not ICMP, UDP, or TCP?

maybe EGP?


#access-list 123 permit ?
  <0-255> An IP protocol number
  eigrp Cisco's EIGRP routing protocol
  gre Cisco's GRE tunneling
  icmp Internet Control Message Protocol
  igmp Internet Gateway Message Protocol
  igrp Cisco's IGRP routing protocol
  ip Any Internet Protocol
  ipinip IP in IP tunneling
  nos KA9Q NOS compatible IP over IP tunneling
  ospf OSPF routing protocol
  tcp Transmission Control Protocol
  udp User Datagram Protocol

there's lots of protocols other than these... For example, IPv6 is
protocol number 41.

Also, try
  permit ip any any log
! This will definitely tell you what you're seeing.


Could be GRE, IGMP, anything really.. running netflow would probably let
you know real quick