Security Incidents mailing list archives
Re: Strange Activity -- Help
From: Antonio Carlos Pina <apina () infolink com br>
Date: Thu, 22 Feb 2001 23:12:47 -0300
Hello, IGMP packets are also used to "nuke" IRC users. I've seen many users "nuking" each other using IGMP, but they use LOTS of packets. Windows 2000 also send this kind of traffic when running "Windows Media Encoder and Broadcaster" application. Regards, Cordialmente, Antonio Carlos Pina Diretor de Tecnologia INFOLINK Internet http://www.infolink.com.br ----- Original Message ----- From: "Daniel Martin" <dtmartin24 () HOME COM> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Wednesday, February 21, 2001 10:17 PM Subject: Re: Strange Activity -- Help
"Nanney, Jim" <JNanney () XETADEV COM> writes:Feb 21 09:54:32 nanlinux kernel: Packet log: input REJECT eth0 PROTO=2^^^^^^^192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x0000 T=1 (#5)IP Protocol 2 is "igmp". (as opposed to TCP or UDP, for example) One consequence of this is that the port numbers given in the log line are meaningless. I don't quite know everything that igmp is used for, but one of the things it's used for is to announce to a router (via broadcast packets) "the machine at address xx.xx.xx.xx is willing to receive multicast IP packets destined for yy.yy.yy.yy" (Here, xx.xx.xx.xx == 192.168.100.1 and yy.yy.yy.yy == 224.0.0.1)
Current thread:
- Strange Activity -- Help Nanney, Jim (Feb 21)
- Re: Strange Activity -- Help Crist Clark (Feb 21)
- Re: Strange Activity -- Help Daniel Martin (Feb 21)
- Re: Strange Activity -- Help Antonio Carlos Pina (Feb 22)