Re: Strange Activity -- Help

[Antonio Carlos Pina <apina () infolink com br>]

Hello,

IGMP packets are also used to "nuke" IRC users. I've seen many users
"nuking" each other using IGMP, but they use LOTS of packets. Windows 2000
also send this kind of traffic when running "Windows Media Encoder and
Broadcaster" application.

Regards,
Cordialmente,
Antonio Carlos Pina
Diretor de Tecnologia
INFOLINK Internet
http://www.infolink.com.br

----- Original Message -----
From: "Daniel Martin" <dtmartin24 () HOME COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Wednesday, February 21, 2001 10:17 PM
Subject: Re: Strange Activity -- Help


> "Nanney, Jim" <JNanney () XETADEV COM> writes:
>
> > Feb 21 09:54:32 nanlinux kernel: Packet log: input REJECT eth0 PROTO=2
>                                                                  ^^^^^^^
> > 192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x0000 T=1 (#5)
>
> IP Protocol 2 is "igmp".  (as opposed to TCP or UDP, for example)  One
> consequence of this is that the port numbers given in the log line are
> meaningless.
>
> I don't quite know everything that igmp is used for, but one of the
> things it's used for is to announce to a router (via broadcast
> packets) "the machine at address xx.xx.xx.xx is willing to receive
> multicast IP packets destined for yy.yy.yy.yy" (Here, xx.xx.xx.xx ==
> 192.168.100.1 and yy.yy.yy.yy == 224.0.0.1)