[RndTbl] DoD multicast?

Sean Walberg sean at ertw.com
Thu Feb 13 08:16:34 CST 2014


Just clued in here... IGMP... Every minute...

IGMP is normal traffic. Your kernel listens to IGMP. It's used to figure
out if there are any nodes listening on multicast groups so that all the
routers can build their multicast tree. Every minute makes sense because
that's the normal interval for a multicast enabled router. If you pull the
packets into WireShark you might get a sense of which groups it's querying
for.

The DoD source is a puzzling one. My most-reasonable-non-tinfoil-hat-guess
is that Shaw is using addresses from that space for internal management or
some loopbacks and that was the interface picked for the source address
(most IGMP queries and responses are sent to a mcast address so the source
address is irrelevant). If you think "boy Sean, who would be that stupid?"
then consider that APNIC had to reserve 1.1.1.0/24 because so many people
use 1.1.1.1 and so forth on their networks (guilty!).

I don't see any multicast traffic on my host, so maybe your router having
it enabled is a test or a mistake. Shaw has lots of crap on their
network... Look at your ARP traffic for example, you're probably getting
many pps of ARP for stuff not even on your local subnet. It's been that way
for at least 8 years.

Sean



On Thu, Feb 13, 2014 at 2:52 AM, Trevor Cordes <trevor at tecnopolis.ca> wrote:

> On 2014-02-11 Sean Walberg wrote:
> > Packets to 224.0.0.1 are only for the local subnet and should not be
>
> Hmm, I didn't see that in my (brief) multicast research, but I'll take
> your word for it.  I did find that TTL=1 means local-subnet-only and
> these packets are indeed showing a TTL of 1.
>
> > Occam's razor would suggest that it's a misconfiguration or some
> > other crap on the network.
>
> Or I guess someone sending out spoof packets hoping to find someone
> running IGMP to mess with?
>
> > DOS went away. Wondering if there's some pattern in the numbers.
>
> Well, it's still going on, every minute on the button.
>
> I just did some more checks and see that I have the MAC for the source
> of the packets, and looking in arp I see the MAC belongs to my
> next-hop, a Shaw router.  So either it is generating these, or this
> packet is indeed crossing a subnet boundary.  No?
>
> Can anyone else on Shaw (obviously without a non-linux router in the
> way) do a quick check to see they get these packets also?
>
> Hey, what if it's some attempt by Shaw to detect and shutdown hackers
> trying to run IGMP?
>
> As long as the black helicopters aren't outside my house, this is more
> of a curiosity than a big concern.  Well, except it is putting 208
> bytes into my /v/l/messages every minute.  ;-)
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.mb.ca
> http://www.muug.mb.ca/mailman/listinfo/roundtable
>



-- 
Sean Walberg <sean at ertw.com>    http://ertw.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.muug.mb.ca/pipermail/roundtable/attachments/20140213/99378186/attachment.html>


More information about the Roundtable mailing list