On 2014-02-13 Adam Thompson wrote:
By definition, all IGMP packets will have a TTL of 1 - they're only supposed to discover directly-connected hosts that also run IGMP.
Right, but why would Shaw put out IGMP onto a wire consisting of nothing but "clients" -- home users? I can see them running IGMP on the other (upstream) side of their router, but why talk IGMP to clients when none should be talking IGMP?
No. IGMP is a completely normal thing, and is not indicative of a "hacker".
Except the bogus DoD source IP.
Also, doesn't explain why these packets just started the other day, with nary a one seen before that. Also weird that no one else is seeing these, it's just my Shaw segment?
A perfect example of why I've never found it worthwhile to log incoming traffic that got dropped.
I log drops with a severe rate limit, so I can get a glimpse of what garbage comes my way, without filling the disk or getting DDoS'd. It's interesting!