[RndTbl] DoD multicast?
Trevor Cordes
trevor at tecnopolis.ca
Thu Feb 13 22:36:04 CST 2014
On 2014-02-13 Adam Thompson wrote:
> By definition, all IGMP packets will have a TTL of 1 - they're only
> supposed to discover directly-connected hosts that also run IGMP.
Right, but why would Shaw put out IGMP onto a wire consisting of
nothing but "clients" -- home users? I can see them running IGMP on
the other (upstream) side of their router, but why talk IGMP to clients
when none should be talking IGMP?
> No. IGMP is a completely normal thing, and is not indicative of a
> "hacker".
Except the bogus DoD source IP.
Also, doesn't explain why these packets just started the other day,
with nary a one seen before that. Also weird that no one else is
seeing these, it's just my Shaw segment?
> A perfect example of why I've never found it worthwhile to log
> incoming traffic that got dropped.
I log drops with a severe rate limit, so I can get a glimpse of what
garbage comes my way, without filling the disk or getting DDoS'd. It's
interesting!
More information about the Roundtable
mailing list