[RndTbl] DoD multicast?

Sean Walberg sean at ertw.com
Thu Feb 13 23:00:10 CST 2014 

>
> Right, but why would Shaw put out IGMP onto a wire consisting of
> nothing but "clients" -- home users?  I can see them running IGMP on
> the other (upstream) side of their router, but why talk IGMP to clients
> when none should be talking IGMP?


Hosts speak IGMP, too. It's used to indicate interest in a multicast group.
Normally the host would send something saying "hey sign me up for the
stream at 229.1.1.1" and they'd start getting the stream. Every minute
you'd then see a query to 229.1.1.1 from the router saying "hey local
segment, is there anyone here that still wants this?" and it's the host's
job to say "I do!". The 224.0.0.1 is a special case, basically a "hey are
they any multicast listeners out here?" kind of thing.

Back to Occam's razor... It's probably a misconfiguration (if memory
serves, it's just one command like "ip pim enable") or a field trial (IP
TV?) and the address is again a misconfiguration or them using the address
space for management.

Sean


On Thu, Feb 13, 2014 at 10:36 PM, Trevor Cordes <trevor at tecnopolis.ca>wrote:

> On 2014-02-13 Adam Thompson wrote:
> > By definition, all IGMP packets will have a TTL of 1 - they're only
> > supposed to discover directly-connected hosts that also run IGMP.
>
> Right, but why would Shaw put out IGMP onto a wire consisting of
> nothing but "clients" -- home users?  I can see them running IGMP on
> the other (upstream) side of their router, but why talk IGMP to clients
> when none should be talking IGMP?
>
> > No.  IGMP is a completely normal thing, and is not indicative of a
> > "hacker".
>
> Except the bogus DoD source IP.
>
> Also, doesn't explain why these packets just started the other day,
> with nary a one seen before that.  Also weird that no one else is
> seeing these, it's just my Shaw segment?
>
> > A perfect example of why I've never found it worthwhile to log
> > incoming traffic that got dropped.
>
> I log drops with a severe rate limit, so I can get a glimpse of what
> garbage comes my way, without filling the disk or getting DDoS'd.  It's
> interesting!
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.mb.ca
> http://www.muug.mb.ca/mailman/listinfo/roundtable
>



-- 
Sean Walberg <sean at ertw.com>    http://ertw.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.muug.mb.ca/pipermail/roundtable/attachments/20140213/da3686fe/attachment-0001.html>

More information about the Roundtable mailing list