Proto 0 not displaying in ra

Mon Jun 24 20:44:37 EDT 2013

Carter,

Over the past few months we have seen some low-octane DDoS attempts that use
a protocol value of 0 in what otherwise appears to be an IPv4 packet. I just
checked the RFC referenced in the IANA document for hopopt and it seems to
make as much sense as most of the IPv6 documents. I agree with you, it is
either very, very obscure or a mistake. I'll post a question on NANOG and
see what lightening I can attract.

--Dave

From: Carter Bullard [mailto:carter at qosient.com] 
Sent: Monday, June 24, 2013 7:46 PM
To: David Edelman
Cc: 'Jesse Bowling'; 'argus-info'
Subject: Re: [ARGUS] Proto 0 not displaying in ra

Hey Dave,
So I mentioned in my earlier email that IPv6 options will never
find their way into our protocol field(s).  I have no idea why
IANA includes an IPv6 option as a protocol.  It must be an error?

So the zero pseudo protocol IP number, I'm not sure that that
is possible to send a packet with a zero in the IP protocol field.
IPinIP uses 4, so, not sure what it would mean for a router or
an end system to get a packet with a zero as the next header.

For us, I believe that racount() maybe reporting on ARP flows as
having a protocol of 0, as we play some games with ARP/RARP flows,
when we aggregate them.

I'll try to look into it later tonight.
Jesse, have any data I can use that generates the error?

Carter

On Jun 24, 2013, at 6:24 PM, "David Edelman" <dedelman at iname.com
<mailto:dedelman at iname.com> > wrote:

Carter,

For at least some versions of Linux, the /etc/protocols file does have an
entry for protocol 0. In fact, some might include two entries (this example
is from Fedora Core 18):

# Updated for NetBSD based on RFC 1340, Assigned Numbers (July 1992).
# Last IANA update included dated 2011-05-03
#
# See also  <http://www.iana.org/assignments/protocol-numbers>
http://www.iana.org/assignments/protocol-numbers

ip      0       IP              # internet protocol, pseudo protocol number
hopopt  0       HOPOPT          # hop-by-hop options for ipv6
icmp    1       ICMP            # internet control message protocol
igmp    2       IGMP            # internet group management protocol
ggp     3       GGP             # gateway-gateway protocol
8< ------------------------ snip
----------------------------------------------

I'm not sure that the hopopt entry isn't causing some confusion especially
if there is nothing is indicate IPv4 / IPv6 in the filter expression.

--Dave

From: Carter Bullard [mailto:carter at qosient.com <http://qosient.com> ] 
Sent: Monday, June 24, 2013 10:58 AM
To: David Edelman
Cc: 'Jesse Bowling'; 'argus-info'
Subject: Re: [ARGUS] Proto 0 not displaying in ra

Hey Jesse, David,
The proto 0 should be an argus artifact, an internal protocol
number so that we can process L2 and L3 protocol numbers
in the same code set, so you shouldn't see that.

Zero should be illegal for L2 and L3. We make a distinction
between IPv6 options and the next header protocol number.

Very curious that IANA doesn't make that distinction.  That
seems like an error.

David is right, with an " - ip " filter, does it go away?
Got some data you can share that generates the error, so I
can check it out?

Carter

On Jun 20, 2013, at 8:49 PM, "David Edelman" < <mailto:dedelman at iname.com>
dedelman at iname.com> wrote:

Jesse,

I'm not sure that  your filter expression is valid. If you are looking for
any of the IP related protocols then this does work on 3.0.7.10.  When I use
a  filter of - proto 0  it does not provide any records

racount -M proto -M addr -r * - ip
racount   records     total_pkts     src_pkts       dst_pkts
total_bytes        src_bytes          dst_bytes
    sum   2896        13853          7739           6114          4833073
1107119            3725954
Protocol Summary
   icmp   95          296            296            0             40960
40960              0
   igmp   354         354            354            0             22656
22656              0
    tcp   1172        10855          5375           5480          3983163
443295             3539868
    udp   1252        2291           1657           634           775907
589821             186086
   ipv6   12          24             24             0             2064
2064               0
    udp   3           4              4              0             1914
1914               0
    udp   7           29             29             0             6409
6409               0
Address Summary
  IPv4 Unicast              src 1           dst 45
  IPv4 Unicast This Network src 1           dst 1
  IPv4 Unicast Private      src 18          dst 8
  IPv4 Unicast Reserved     src 1           dst 24
  IPv4 Multicast Local      src 0           dst 4
  IPv4 Multicast Internet   src 0           dst 2
  IPv4 Multicast Reserved   src 0           dst 1
  IPv4 Multicast SiteLocal  src 0           dst 1
  IPv6 LinkLocal            src 10          dst 0
  IPv6 Multicast Link Local src 0           dst 10

From:  <mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu>
argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu [mailto:argus-
<mailto:info-bounces+dedelman=iname.com at lists.andrew.cmu.edu>
info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On Behalf Of Jesse
Bowling
Sent: Thursday, June 20, 2013 2:53 PM
To: argus-info
Subject: [ARGUS] Proto 0 not displaying in ra

Hi,
So I started with an racount:

# racount -M proto -M addr -r 6-18-13.argus
<snip>
racount   records     total_pkts     src_pkts       dst_pkts
total_bytes        src_bytes          dst_bytes
      0   1148        6377           6377           0              2710225
2710225            0
</snip>
I found that interesting so I wanted to look at the original records:

# ra -r 6-18-13.argus - proto 0
#

I'm using 3.0.7.9, and this appears to be a bug...Let me know if I can help
debug...

Cheers,
Jesse
-- 
Jesse Bowling

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130624/64b4ed83/attachment.html>