Security Incidents mailing list archives
Re: IGMP DOS Attack
From: "Kurt Seifried" <bugtraq () seifried org>
Date: Thu, 11 Apr 2002 10:33:57 -0700
I do not know about this attack in particular however I do know the majority of firewalls allow IGMP traffic through (along with about 100 other IP protocols....). Unless a firewall has default policy of deny or the admin has specifically blocked IP packet types of say DCN, HMP, PRM chances are they will go through. Of course the trick is to find protocols well supported by end systems, such as IGMP. My immediate though about this incident is to look at if the networks attacking you support IGMP broadcast packets (now that everyone blocks ICMP broadcast packets... well most people anyways..). Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ http://www.iDefense.com/ ----- Original Message ----- From: <D.Stout () EU HNS COM> To: <incidents () securityfocus com> Sent: Thursday, April 11, 2002 3:45 AM Subject: IGMP DOS Attack
After installing a Snort IDS system on a network link I am responsible for , I left it running over night to see how many alerts would be generated. When I returned in the morning I found 450,000 alerts from snort detailing a IGMP DoS attack from 6 different source hosts. I cannot find any information about this DoS attack (DDoS if you consider 6 hosts at same time). Has anybody else had an IGMP DoS attack starting at 5:23 CET ? Does anybody know what causes this ? What are the implications of this (other than pure bandwidth consumption) I will continue to search for info, but please help me if you know what this is. Dave Stout Internet Security Engineer #********************************************************************** This message is intended solely for the use of the individual or organisation to whom it is addressed. It may contain privileged or confidential information. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you should not use, copy, alter, or disclose the contents of this message. All information or opinions expressed in this message and/or any attachments are those of the author and are not necessarily those of Hughes Network Systems Limited, including its European subsidiaries and affiliates. Hughes Network Systems Limited, including its European subsidiaries and affiliates accepts no responsibility for loss or damage arising from its use, including damage from virus. #********************************************************************** --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- IGMP DOS Attack D . Stout (Apr 11)
- Re: IGMP DOS Attack Kurt Seifried (Apr 11)
- Re: IGMP DOS Attack Dave Dittrich (Apr 12)
- <Possible follow-ups>
- Re: IGMP DOS Attack Justin Shore (Apr 11)
- RE: IGMP DOS Attack Headley, Kevin (Apr 11)
- Re: IGMP DOS Attack Valdis . Kletnieks (Apr 11)
- Re: IGMP DOS Attack John Kristoff (Apr 11)
- Re: IGMP DOS Attack Christopher L. Morrow (Apr 12)
- Re: IGMP DOS Attack Valdis . Kletnieks (Apr 11)
- RE: IGMP DOS Attack Cushing, David (Apr 11)