Security Incidents mailing list archives

Re: IGMP DOS Attack

From: Dave Dittrich <dittrich () cac washington edu>
Date: Thu, 11 Apr 2002 23:57:00 -0700 (PDT)

On Thu, 11 Apr 2002 D.Stout () EU HNS COM wrote:

When I returned in the morning I found 450,000 alerts from snort detailing
a IGMP DoS attack from 6 different source hosts. I cannot find any
information about this DoS attack (DDoS if you consider 6 hosts at same
time).
 . . .
  Does anybody know what causes this ?


I know of at least one mIRC based DDoS bot that used (or at least
tried to use) IGMP for flooding:

        http://staff.washington.edu/dittrich/misc/power.analysis.txt

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

IGMP DOS Attack D . Stout (Apr 11)
- Re: IGMP DOS Attack Kurt Seifried (Apr 11)
- Re: IGMP DOS Attack Dave Dittrich (Apr 12)
- <Possible follow-ups>
- Re: IGMP DOS Attack Justin Shore (Apr 11)
- RE: IGMP DOS Attack Headley, Kevin (Apr 11)
  - Re: IGMP DOS Attack Valdis . Kletnieks (Apr 11)
    - Re: IGMP DOS Attack John Kristoff (Apr 11)
    - Re: IGMP DOS Attack Christopher L. Morrow (Apr 12)
- RE: IGMP DOS Attack Cushing, David (Apr 11)