Security Incidents mailing list archives
Re: IGMP DOS Attack
From: "Christopher L. Morrow" <chris () UU NET>
Date: Thu, 11 Apr 2002 22:35:30 +0000 (GMT)
On Thu, 11 Apr 2002 15:00:00 EDT, "Headley, Kevin" <kevin.headley () csfb com> said:Since IGMP is multicast group membership and wouldn't pass a router unless specifically configured to do so (in many cases at least)...I have seen occasions where either the local machine is sending packets or a few other machines on that segment are joinging the group, responding...
Hmm, I'm not sure about this particular attack, BUT we've seen LOTS of attacks where someone simply set the protocol field to igmp's number and flooded packets to the destination they wanted to attack (like www.yourfavoriteattackedhost.com) Basically the attack just takes a slight bit longer to diagnose because its not 'common' (tcp or udp or icmp)... no better, no worse in the long run though. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- IGMP DOS Attack D . Stout (Apr 11)
- Re: IGMP DOS Attack Kurt Seifried (Apr 11)
- Re: IGMP DOS Attack Dave Dittrich (Apr 12)
- <Possible follow-ups>
- Re: IGMP DOS Attack Justin Shore (Apr 11)
- RE: IGMP DOS Attack Headley, Kevin (Apr 11)
- Re: IGMP DOS Attack Valdis . Kletnieks (Apr 11)
- Re: IGMP DOS Attack John Kristoff (Apr 11)
- Re: IGMP DOS Attack Christopher L. Morrow (Apr 12)
- Re: IGMP DOS Attack Valdis . Kletnieks (Apr 11)
- RE: IGMP DOS Attack Cushing, David (Apr 11)