> On Thu, 11 Apr 2002 15:00:00 EDT, "Headley, Kevin" <kevin.headleyat_private> said: > > > Since IGMP is multicast group membership and wouldn't pass a router unless > > specifically configured to do so (in many cases at least)...I have seen > > occasions where either the local machine is sending packets or a few other > > machines on that segment are joinging the group, responding... > Hmm, I'm not sure about this particular attack, BUT we've seen LOTS of attacks where someone simply set the protocol field to igmp's number and flooded packets to the destination they wanted to attack (like www.yourfavoriteattackedhost.com) Basically the attack just takes a slight bit longer to diagnose because its not 'common' (tcp or udp or icmp)... no better, no worse in the long run though. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Apr 12 2002 - 08:37:16 PDT