Hello, welcome to the Friday, December 30th, 2016 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

We've got some reports today from readers and also confirmed that with our own data that there appears to be quite a bit of increase in GRE traffic or generic route encapsulation.

That's a protocol 47 over IPV4. Now typically this protocol can be used to encapsulate anything

within IPV4 after this IP header. You then have sort of a short header with essentially just the

ether type of whatever comes next.

In this case, the embedded payload is again another IPV4 packet that then carries a random

UDP payload.

Don't really see any pattern in this yet.

It's not at the level where I would call it a denial of service. Not

really sure what this is about, really just looks like random traffic. Now, Mirai has sent

some traffic like this in the past and also other denial of service tools have used GRE,

but not really clear if this is related at all at this point.

If you do have any packets, or in particular, if you see any outbound traffic from your

network matching that description, we would be really interested to hear from you to see

where this all originates.

And the USR today released a fairly detailed report about some of the hacking activity

against US political parties last year. They attributed to what they call Chris Le Steppe, which is two

different actually Russian hacking groups. The report is very detailed and nicely outlines many of the attack techniques

that were used in this particular attack. So I do recommend that you read it. Don't get distracted

by the politics around this. The report really has quite nice details about how these

more advanced attacks work.

...