I do not know about this attack in particular however I do know the majority of firewalls allow IGMP traffic through (along with about 100 other IP protocols....). Unless a firewall has default policy of deny or the admin has specifically blocked IP packet types of say DCN, HMP, PRM chances are they will go through. Of course the trick is to find protocols well supported by end systems, such as IGMP. My immediate though about this incident is to look at if the networks attacking you support IGMP broadcast packets (now that everyone blocks ICMP broadcast packets... well most people anyways..). Kurt Seifried, kurtat_private A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ http://www.iDefense.com/ ----- Original Message ----- From: <D.Stoutat_private> To: <incidentsat_private> Sent: Thursday, April 11, 2002 3:45 AM Subject: IGMP DOS Attack > After installing a Snort IDS system on a network link I am responsible > for , I left it running over night to see how many alerts would be > generated. > When I returned in the morning I found 450,000 alerts from snort detailing > a IGMP DoS attack from 6 different source hosts. I cannot find any > information about this DoS attack (DDoS if you consider 6 hosts at same > time). > > Has anybody else had an IGMP DoS attack starting at 5:23 CET ? > Does anybody know what causes this ? > What are the implications of this (other than pure bandwidth > consumption) > > I will continue to search for info, but please help me if you know what > this is. > > Dave Stout > Internet Security Engineer > > > > #********************************************************************** > This message is intended solely for the use of the individual > or organisation to whom it is addressed. It may contain > privileged or confidential information. If you have received > this message in error, please notify the originator immediately. > If you are not the intended recipient, you should not use, > copy, alter, or disclose the contents of this message. All > information or opinions expressed in this message and/or > any attachments are those of the author and are not > necessarily those of Hughes Network Systems Limited, > including its European subsidiaries and affiliates. Hughes > Network Systems Limited, including its European > subsidiaries and affiliates accepts no responsibility for loss > or damage arising from its use, including damage from virus. > #********************************************************************** > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Apr 11 2002 - 11:52:33 PDT