Security Incidents mailing list archives

Re: IGMP DOS Attack

From: Valdis.Kletnieks () vt edu
Date: Thu, 11 Apr 2002 15:53:03 -0400

On Thu, 11 Apr 2002 15:00:00 EDT, "Headley, Kevin" <kevin.headley () csfb com>  said:

Since IGMP is multicast group membership and wouldn't pass a router unless
specifically configured to do so (in many cases at least)...I have seen
occasions where either the local machine is sending packets or a few other
machines on that segment are joinging the group, responding...


Anybody *else* remember a certain worm randomly picking IP addresses to attack,
and causing IGMP meltdowns when it happened to pick a 224.x.x.x address, as
all the multicast-aware hosts would start asking about the group?  I remember
a 2AM firestorm that took several of our routers and part of Abeliene with
it...

-- 
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

Attachment: _bin
Description:

Current thread:

IGMP DOS Attack D . Stout (Apr 11)
- Re: IGMP DOS Attack Kurt Seifried (Apr 11)
- Re: IGMP DOS Attack Dave Dittrich (Apr 12)
- <Possible follow-ups>
- Re: IGMP DOS Attack Justin Shore (Apr 11)
- RE: IGMP DOS Attack Headley, Kevin (Apr 11)
  - Re: IGMP DOS Attack Valdis . Kletnieks (Apr 11)
    - Re: IGMP DOS Attack John Kristoff (Apr 11)
    - Re: IGMP DOS Attack Christopher L. Morrow (Apr 12)
- RE: IGMP DOS Attack Cushing, David (Apr 11)