Security Incidents mailing list archives
RE: IGMP DOS Attack
From: "Cushing, David" <David.Cushing () hitachisoftware com>
Date: Thu, 11 Apr 2002 16:18:39 -0400
Dave, It would have been helpful if you told us what rule failed. I am assuming it was sid 272 or 273, which are scantily documented on the snort site. If this is the correct issue, a fragmented IGMP packet would cause windows to crash. See these links for more detail on the vulnerability: http://online.securityfocus.com/archive/1/17444 http://online.securityfocus.com/search?submit=yes&category=22&order=ASC& query=IGMP Whether these packets are malicious or not is still open, but it is looking fishy. If I am reading things right (and that is questionable :), the snort rules are looking for the first two bytes of the IGMP packet to be "00 00" or "02 00". The include file I checked, /usr/include/netinet/igmp.h, implies a good packet would start with 0x11 - 0x1f. The current specs for IGMP also agree with all packets starting with a hex "1": http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1112.html http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2236.html
From an incident response point of view I am curious what you found when
you researched the 6 hosts you mentioned. Are they routers (i.e. you might expect some IGMP traffic), or are they @home DSL users? This might be a strong hint into whether or not there is a real issue. If this is ongoing, you should capture the full packet(s) for analysis. Regards, David
-----Original Message----- From: D.Stout () EU HNS COM [mailto:D.Stout () EU HNS COM] Sent: Thursday, April 11, 2002 6:45 AM To: incidents () securityfocus com Subject: IGMP DOS Attack After installing a Snort IDS system on a network link I am responsible for , I left it running over night to see how many alerts would be generated. When I returned in the morning I found 450,000 alerts from snort detailing a IGMP DoS attack from 6 different source hosts. I cannot find any information about this DoS attack (DDoS if you consider 6 hosts at same time). Has anybody else had an IGMP DoS attack starting at 5:23 CET ? Does anybody know what causes this ? What are the implications of this (other than pure bandwidth consumption) I will continue to search for info, but please help me if you know what this is. Dave Stout
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- IGMP DOS Attack D . Stout (Apr 11)
- Re: IGMP DOS Attack Kurt Seifried (Apr 11)
- Re: IGMP DOS Attack Dave Dittrich (Apr 12)
- <Possible follow-ups>
- Re: IGMP DOS Attack Justin Shore (Apr 11)
- RE: IGMP DOS Attack Headley, Kevin (Apr 11)
- Re: IGMP DOS Attack Valdis . Kletnieks (Apr 11)
- Re: IGMP DOS Attack John Kristoff (Apr 11)
- Re: IGMP DOS Attack Christopher L. Morrow (Apr 12)
- Re: IGMP DOS Attack Valdis . Kletnieks (Apr 11)
- RE: IGMP DOS Attack Cushing, David (Apr 11)