Security Incidents mailing list archives

RE: IGMP DOS Attack

From: "Cushing, David" <David.Cushing () hitachisoftware com>
Date: Thu, 11 Apr 2002 16:18:39 -0400

Dave,

It would have been helpful if you told us what rule failed.  I am
assuming it was sid 272 or 273, which are scantily documented on the
snort site.  

If this is the correct issue, a fragmented IGMP packet would cause
windows to crash.  See these links for more detail on the vulnerability:

http://online.securityfocus.com/archive/1/17444
http://online.securityfocus.com/search?submit=yes&category=22&order=ASC&;
query=IGMP

Whether these packets are malicious or not is still open, but it is
looking fishy.  If I am reading things right (and that is questionable
:), the snort rules are looking for the first two bytes of the IGMP
packet to be "00 00" or "02 00".  The include file I checked,
/usr/include/netinet/igmp.h, implies a good packet would start with 0x11
- 0x1f.  The current specs for IGMP also agree with all packets starting
with a hex "1":

http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1112.html
http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2236.html

From an incident response point of view I am curious what you found when

you researched the 6 hosts you mentioned.  Are they routers (i.e. you
might expect some IGMP traffic), or are they @home DSL users?  This
might be a strong hint into whether or not there is a real issue.

If this is ongoing, you should capture the full packet(s) for analysis.

Regards,
David

-----Original Message-----
From: D.Stout () EU HNS COM [mailto:D.Stout () EU HNS COM]
Sent: Thursday, April 11, 2002 6:45 AM
To: incidents () securityfocus com
Subject: IGMP DOS Attack

  After installing a Snort IDS system on a network link I am 
responsible 
for , I left it running over night to see how many alerts would be 
generated.
When I returned in the morning I found 450,000 alerts from 
snort detailing 
a IGMP DoS attack from 6 different source hosts. I cannot find any 
information about this DoS attack (DDoS if you consider 6 
hosts at same 
time). 

  Has anybody else had an IGMP DoS attack starting at 5:23 CET ?
  Does anybody know what causes this ?
  What are the implications of this (other than pure bandwidth 
consumption)

  I will continue to search for info, but please help me if 
you know what 
this is.

Dave Stout


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

IGMP DOS Attack D . Stout (Apr 11)
- Re: IGMP DOS Attack Kurt Seifried (Apr 11)
- Re: IGMP DOS Attack Dave Dittrich (Apr 12)
- <Possible follow-ups>
- Re: IGMP DOS Attack Justin Shore (Apr 11)
- RE: IGMP DOS Attack Headley, Kevin (Apr 11)
  - Re: IGMP DOS Attack Valdis . Kletnieks (Apr 11)
    - Re: IGMP DOS Attack John Kristoff (Apr 11)
    - Re: IGMP DOS Attack Christopher L. Morrow (Apr 12)
- RE: IGMP DOS Attack Cushing, David (Apr 11)