RE: IGMP DOS Attack

From: Cushing, David (David.Cushingat_private)
Date: Thu Apr 11 2002 - 13:18:39 PDT

Next message: John Kristoff: "Re: IGMP DOS Attack"

Previous message: Valdis.Kletnieksat_private: "Re: IGMP DOS Attack"
Maybe in reply to: D.Stoutat_private: "IGMP DOS Attack"
Next in thread: Dave Dittrich: "Re: IGMP DOS Attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dave,

It would have been helpful if you told us what rule failed.  I am
assuming it was sid 272 or 273, which are scantily documented on the
snort site.  

If this is the correct issue, a fragmented IGMP packet would cause
windows to crash.  See these links for more detail on the vulnerability:

http://online.securityfocus.com/archive/1/17444
http://online.securityfocus.com/search?submit=yes&category=22&order=ASC&
query=IGMP

Whether these packets are malicious or not is still open, but it is
looking fishy.  If I am reading things right (and that is questionable
:), the snort rules are looking for the first two bytes of the IGMP
packet to be "00 00" or "02 00".  The include file I checked,
/usr/include/netinet/igmp.h, implies a good packet would start with 0x11
- 0x1f.  The current specs for IGMP also agree with all packets starting
with a hex "1":

http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1112.html
http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2236.html

From an incident response point of view I am curious what you found when
you researched the 6 hosts you mentioned.  Are they routers (i.e. you
might expect some IGMP traffic), or are they @home DSL users?  This
might be a strong hint into whether or not there is a real issue.

If this is ongoing, you should capture the full packet(s) for analysis.

Regards,
David

> -----Original Message-----
> From: D.Stoutat_private [mailto:D.Stoutat_private]
> Sent: Thursday, April 11, 2002 6:45 AM
> To: incidentsat_private
> Subject: IGMP DOS Attack
> 
> 
>   After installing a Snort IDS system on a network link I am 
> responsible 
> for , I left it running over night to see how many alerts would be 
> generated.
> When I returned in the morning I found 450,000 alerts from 
> snort detailing 
> a IGMP DoS attack from 6 different source hosts. I cannot find any 
> information about this DoS attack (DDoS if you consider 6 
> hosts at same 
> time). 
> 
>   Has anybody else had an IGMP DoS attack starting at 5:23 CET ?
>   Does anybody know what causes this ?
>   What are the implications of this (other than pure bandwidth 
> consumption)
> 
>   I will continue to search for info, but please help me if 
> you know what 
> this is.
> 
> Dave Stout 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: John Kristoff: "Re: IGMP DOS Attack"
Previous message: Valdis.Kletnieksat_private: "Re: IGMP DOS Attack"
Maybe in reply to: D.Stoutat_private: "IGMP DOS Attack"
Next in thread: Dave Dittrich: "Re: IGMP DOS Attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 11 2002 - 13:50:27 PDT