Re: IGMP DOS Attack

["Kurt Seifried" <bugtraq () seifried org>]

I do not know about this attack in particular however I do know the majority
of firewalls allow IGMP traffic through (along with about 100 other IP
protocols....). Unless a firewall has default policy of deny or the admin
has specifically blocked IP packet types of say DCN, HMP, PRM chances are
they will go through. Of course the trick is to find protocols well
supported by end systems, such as IGMP.

My immediate though about this incident is to look at if the networks
attacking you support IGMP broadcast packets (now that everyone blocks ICMP
broadcast packets... well most people anyways..).


Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/
http://www.iDefense.com/

----- Original Message -----
From: <D.Stout () EU HNS COM>
To: <incidents () securityfocus com>
Sent: Thursday, April 11, 2002 3:45 AM
Subject: IGMP DOS Attack


>   After installing a Snort IDS system on a network link I am responsible
> for , I left it running over night to see how many alerts would be
> generated.
> When I returned in the morning I found 450,000 alerts from snort detailing
> a IGMP DoS attack from 6 different source hosts. I cannot find any
> information about this DoS attack (DDoS if you consider 6 hosts at same
> time).
>
>   Has anybody else had an IGMP DoS attack starting at 5:23 CET ?
>   Does anybody know what causes this ?
>   What are the implications of this (other than pure bandwidth
> consumption)
>
>   I will continue to search for info, but please help me if you know what
> this is.
>
> Dave Stout
> Internet Security Engineer
>
>
>
> #**********************************************************************
> This message is intended solely for the use of the individual
> or organisation to whom it is addressed. It may contain
> privileged or confidential information.  If you have received
> this message in error, please notify the originator immediately.
> If you are not the intended recipient, you should not use,
> copy, alter, or disclose the contents of this message.  All
> information or opinions expressed in this message and/or
> any attachments are those of the author and are not
> necessarily those of Hughes Network Systems Limited,
> including its European subsidiaries and affiliates. Hughes
> Network Systems Limited, including its European
> subsidiaries and affiliates accepts no responsibility for loss
> or damage arising from its use, including damage from virus.
> #**********************************************************************
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com