Re: IGMP DOS Attack

From: Dave Dittrich (dittrichat_private)
Date: Thu Apr 11 2002 - 23:57:00 PDT

Next message: Jonathon.Kalaugher@sbg-ap.com: "FW: Footprints of ASP ISAPI filter buffer overflows"

Previous message: Christopher L. Morrow: "Re: IGMP DOS Attack"
In reply to: D.Stoutat_private: "IGMP DOS Attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 11 Apr 2002 D.Stoutat_private wrote:

> When I returned in the morning I found 450,000 alerts from snort detailing
> a IGMP DoS attack from 6 different source hosts. I cannot find any
> information about this DoS attack (DDoS if you consider 6 hosts at same
> time).
>  . . .
>   Does anybody know what causes this ?

I know of at least one mIRC based DDoS bot that used (or at least
tried to use) IGMP for flooding:

	http://staff.washington.edu/dittrich/misc/power.analysis.txt

--
Dave Dittrich                           Computing & Communications
dittrichat_private             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jonathon.Kalaugher@sbg-ap.com: "FW: Footprints of ASP ISAPI filter buffer overflows"
Previous message: Christopher L. Morrow: "Re: IGMP DOS Attack"
In reply to: D.Stoutat_private: "IGMP DOS Attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 12 2002 - 08:41:16 PDT