RE: IGMP DOS Attack

From: Headley, Kevin (kevin.headleyat_private)
Date: Thu Apr 11 2002 - 12:00:00 PDT

  • Next message: Valdis.Kletnieksat_private: "Re: IGMP DOS Attack"

    Since IGMP is multicast group membership and wouldn't pass a router unless specifically configured to do so (in many cases at least)...I have seen occasions where either the local machine is sending packets or a few other machines on that segment are joinging the group, responding...
    
    450,000 sounds like a minimal amount of packets for any igmp scenario overnight.
    
    comments detailed here do not reflect the e-pinions of my contractor.
    
    -Kevin Headley
    
    
    -----Original Message-----
    From: Kurt Seifried [mailto:bugtraqat_private]
    Sent: Thursday, April 11, 2002 1:34 PM
    To: incidentsat_private; D.Stoutat_private
    Subject: Re: IGMP DOS Attack
    
    
    I do not know about this attack in particular however I do know the majority
    of firewalls allow IGMP traffic through (along with about 100 other IP
    protocols....). Unless a firewall has default policy of deny or the admin
    has specifically blocked IP packet types of say DCN, HMP, PRM chances are
    they will go through. Of course the trick is to find protocols well
    supported by end systems, such as IGMP.
    
    My immediate though about this incident is to look at if the networks
    attacking you support IGMP broadcast packets (now that everyone blocks ICMP
    broadcast packets... well most people anyways..).
    
    
    Kurt Seifried, kurtat_private
    A15B BEE5 B391 B9AD B0EF
    AEB0 AD63 0B4E AD56 E574
    http://seifried.org/security/
    http://www.iDefense.com/
    
    ----- Original Message -----
    From: <D.Stoutat_private>
    To: <incidentsat_private>
    Sent: Thursday, April 11, 2002 3:45 AM
    Subject: IGMP DOS Attack
    
    
    >   After installing a Snort IDS system on a network link I am responsible
    > for , I left it running over night to see how many alerts would be
    > generated.
    > When I returned in the morning I found 450,000 alerts from snort detailing
    > a IGMP DoS attack from 6 different source hosts. I cannot find any
    > information about this DoS attack (DDoS if you consider 6 hosts at same
    > time).
    >
    >   Has anybody else had an IGMP DoS attack starting at 5:23 CET ?
    >   Does anybody know what causes this ?
    >   What are the implications of this (other than pure bandwidth
    > consumption)
    >
    >   I will continue to search for info, but please help me if you know what
    > this is.
    >
    > Dave Stout
    > Internet Security Engineer
    >
    >
    >
    > #**********************************************************************
    > This message is intended solely for the use of the individual
    > or organisation to whom it is addressed. It may contain
    > privileged or confidential information.  If you have received
    > this message in error, please notify the originator immediately.
    > If you are not the intended recipient, you should not use,
    > copy, alter, or disclose the contents of this message.  All
    > information or opinions expressed in this message and/or
    > any attachments are those of the author and are not
    > necessarily those of Hughes Network Systems Limited,
    > including its European subsidiaries and affiliates. Hughes
    > Network Systems Limited, including its European
    > subsidiaries and affiliates accepts no responsibility for loss
    > or damage arising from its use, including damage from virus.
    > #**********************************************************************
    >
    > --------------------------------------------------------------------------
    --
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    
    This message is for the named person's use only. It may contain sensitive and private proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you are not the intended recipient, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. CREDIT SUISSE GROUP and each legal entity in the CREDIT SUISSE FIRST BOSTON or CREDIT SUISSE ASSET MANAGEMENT business units of CREDIT SUISSE FIRST BOSTON reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.
    Unless otherwise stated, any pricing information given in this message is indicative  only, is subject to change and does not constitute an offer to deal at any price quoted. Any reference to the terms of executed transactions should be treated as  preliminary only and subject to our formal written confirmation.
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Apr 11 2002 - 12:37:44 PDT