Protocol 47 Backscatter Increase in the Last Two Weeks

An Internet Storm Center forums user is reporting an increase in Protocol 47 traffic over the last two weeks. Researchers have detected this via backscatter IBR. Typically, this type of traffic is used for Generic Route Encapsulation (GRE). Many forms of VPN traffic are tunneled through GRE. An astute ISC commenter reports that the payloads don’t carry the correct headers to properly carry out the GRE->IP->GRE->IP attack.

Protocol 47 traffic increasing since late December 2016
Protocol 47 traffic increasing since late December 2016 (photo via ISC)

Possible Target: Taiwanese Chungwa Telco

By analyzing the backscatter traffic, the ISC community has determined that the majority of the targets are in Taiwan. The IP addresses are associated with a telco company called Chungwa. However, no information exists about an ongoing DDoS there. Finally, an update shows there are upticks via protocol 132 and 255 as well. These are Stream Control Transmission Protocol and Reserved/Unknown, respectively.

Leave a Reply

Your email address will not be published. Required fields are marked *