What is this? I noticed my network was crawling, so I pulled up the traffic monitor, about 1000 packets per second of IP Protocol 255 (80 bytes) were coming from a single computer to an outside IP address. I'm assuming this is some sort of a DOS, but the customer it's coming from doesn't know much about computers, he has some kids that do some gaming on the x-box, download files, ya know general kid stuff, but I don't think any of them know enough to carry out a dos attack. I null-routed the outside IP address, but the packets didn't stop. I finally disabled the IP on the interface, which of course stopped it. 15 mins later, I re-enabled it, and the packets resumed. Any ideas what this is?

With a little googling, I came up with this:

http://www.securityfocus.com/archive/75/270867/2002-04-30/2002-05-06/0

Basically, there is an IRC bot that matches your description. Here is a quote from the above-mentioned site:

Seen by "tcpdump", one of the attack methods of this tool uses IP
protocol 255 (listed as "Reserved" by IANA). These attacks use both
large packets (requiring fragmentation) and small packets. [Note:
Network monitoring tools that only log TCP, UDP, and ICMP protocols
will not see this attack traffic at all.

Craig

Denial of Service attacks generally are caused by a worm. Depending on what port it is attacking on, it is probably trying as fast as it can to replicate itself amongsts your LAN. Some DOS worms packet the living FUCK out of your equipment while it's doing this.

One DOS (Code Red) attacked 1 Internal WINNT 4 servers in our basement last year, and caused 4 of our 10/100/1000 Switches to blink solid non stop sending HUGE packets of crap to any machine it could find, but the other machiens were protected against such attacks, so data kept being resent over and over and over... well, needless to say, once the machine was unplugged, it all stopped.

This is why your customers should always be behind some direct router on their end, that way, the only shit that gets affected is their local network. anything else will have to route out your main routers through your IP feeds. Which will then cause your routers to bitch slap the packets.

I dunno, i guess maybe i missunderstood your dilema? :lol: