Security Incidents mailing list archives

Re: IGMP DOS Attack

From: "Christopher L. Morrow" <chris () UU NET>
Date: Thu, 11 Apr 2002 22:35:30 +0000 (GMT)

On Thu, 11 Apr 2002 15:00:00 EDT, "Headley, Kevin" <kevin.headley () csfb com>  said:

Since IGMP is multicast group membership and wouldn't pass a router unless
specifically configured to do so (in many cases at least)...I have seen
occasions where either the local machine is sending packets or a few other
machines on that segment are joinging the group, responding...


Hmm, I'm not sure about this particular attack, BUT we've seen LOTS of
attacks where someone simply set the protocol field to igmp's number and
flooded packets to the destination they wanted to attack (like
www.yourfavoriteattackedhost.com)

Basically the attack just takes a slight bit longer to diagnose because
its not 'common' (tcp or udp or icmp)... no better, no worse in the long
run though.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

IGMP DOS Attack D . Stout (Apr 11)
- Re: IGMP DOS Attack Kurt Seifried (Apr 11)
- Re: IGMP DOS Attack Dave Dittrich (Apr 12)
- <Possible follow-ups>
- Re: IGMP DOS Attack Justin Shore (Apr 11)
- RE: IGMP DOS Attack Headley, Kevin (Apr 11)
  - Re: IGMP DOS Attack Valdis . Kletnieks (Apr 11)
    - Re: IGMP DOS Attack John Kristoff (Apr 11)
    - Re: IGMP DOS Attack Christopher L. Morrow (Apr 12)
- RE: IGMP DOS Attack Cushing, David (Apr 11)