Im curious if anyone knows of the "milk" attack. Our network was just
slammed by such
an attack for about an hour all aimed at one of our core routers. A "sh
ip cache x.x.x.x x.x.x.x fl"
on it showed this:
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts B/Pk
Active
Fa0/0 208.10.5.2 Local X.X.X.X 11 0498 0017
164K1028 985.3
except from 10 to 15 hosts all nailing us at the same time. The
protocol as you see is "11" which
I have been unable to find information about. There was no way to
filter it and access-lists denying
protocol "11" showed 0 matches. Anyone have any ideas?
==>SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts B/Pk
==>Active
==>Fa0/0 208.10.5.2 Local X.X.X.X 11 0498 0017
==>164K1028 985.3
==>
==>except from 10 to 15 hosts all nailing us at the same time. The
==>protocol as you see is "11" which
==>I have been unable to find information about. There was no way to
==>filter it and access-lists denying
==>protocol "11" showed 0 matches. Anyone have any ideas?
Protocol 0x11 is 17 in decimal.
#define IPPROTO_UDP 17 /* user datagram protocol */
Simple UDP flood.
/cah
Hi! Mr.Nash.
As you wrote, 11 is udp protocol and Src port is 0x0498(=1176) and dest port is 0x17(=23).
If you want to filter it ,In your Bordor router ,
access-list 106 deny udp host 208.10.5.2 host dest.IP log-in
and then ,at your serial port
ip access-list 107 in
That's all.
Regards,