
Increase in Protocol 47 (GRE) traffic since end of December 2016 - aysfrm11
https://isc.sans.edu/forums/diary/More+on+Protocol+47+denys/21867/
======
samplonius
There is a probably a consumer device that has a GRE listener running, and it
is possible to send it a small packet, and it will return back some sort of
error response. So classic amplification.

Thought given the moderate amount of traffic, maybe it isn't a hugely
effective DDoS method.

Even if a consumer device doesn't use GRE, it doesn't mean it isn't there. GRE
is often included in Linux kernels.

~~~
simcop2387
If that's the case it's possible they're just testing it out right now to
figure out a good way to use it. Be interesting to watch this unfold.

------
tossedaway334
This is when somebody gets the bright idea to block all protocols other than
TCP and UDP.

Hey you can just tunnel via udp right??

~~~
pshposh
Not sure if you are joking or not but that is exactly what VXLAN does.

------
ChuckMcM
Makes me wonder if someone has a comms protocol based on backscatter for the
back haul.

~~~
pas
What's backscatter in this case? Could you elaborate on this with maybe some
more technical details?

~~~
ChuckMcM
Let's say you wanted to create a (nominally) covert channel to site X, you
take your message text M and encode it with some forward error correction.
Next you find a set of host IP addresses H which have as their last octet the
values 0 - 0xff (or perhaps you use every other bit and find hosts where the
last two octets are 0b0x0x0x0x 0b0x0x0x0x through 0b1x1x1x1x 0b1x1x1x1x. Now
you take the octets you want to send in your message and your botnet bounces a
packet of the host where the spoofed source IP is the real destination host.
That destination host looks at all these errors that are coming in, collects
the last two octets of the addresses, and reconstructs the message M. All
while the world sees "oooh DDOS by script kiddies" but really its someone
communicating with low detection risk across a deep packet inspecting
firewall.

------
the_mitsuhiko
GRE Tunnel bonding rollout maybe?

~~~
mfukar
In that case, the source/destination IPs would not resemble backscatter
traffic. Unfortunately, SANS forums aren't much for analysis..

------
coretx
Mirai, state sponsored botnet.

