Milk attack

Im curious if anyone knows of the "milk" attack. Our network was just
slammed by such
an attack for about an hour all aimed at one of our core routers. A "sh
ip cache x.x.x.x x.x.x.x fl"
on it showed this:

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts B/Pk
Active
Fa0/0 208.10.5.2 Local X.X.X.X 11 0498 0017
164K1028 985.3

except from 10 to 15 hosts all nailing us at the same time. The
protocol as you see is "11" which
I have been unable to find information about. There was no way to
filter it and access-lists denying
protocol "11" showed 0 matches. Anyone have any ideas?

==>SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts B/Pk
==>Active
==>Fa0/0 208.10.5.2 Local X.X.X.X 11 0498 0017
==>164K1028 985.3
==>
==>except from 10 to 15 hosts all nailing us at the same time. The
==>protocol as you see is "11" which
==>I have been unable to find information about. There was no way to
==>filter it and access-lists denying
==>protocol "11" showed 0 matches. Anyone have any ideas?

Protocol 0x11 is 17 in decimal.

#define IPPROTO_UDP 17 /* user datagram protocol */

Simple UDP flood.

/cah

Hi! Mr.Nash.
As you wrote, 11 is udp protocol and Src port is 0x0498(=1176) and dest port is 0x17(=23).
If you want to filter it ,In your Bordor router ,
access-list 106 deny udp host 208.10.5.2 host dest.IP log-in
and then ,at your serial port
ip access-list 107 in

That's all.

Regards,