Right, but why would Shaw put out IGMP onto a wire consisting of nothing but "clients" -- home users? I can see them running IGMP on the other (upstream) side of their router, but why talk IGMP to clients when none should be talking IGMP?
Hosts speak IGMP, too. It's used to indicate interest in a multicast group. Normally the host would send something saying "hey sign me up for the stream at 229.1.1.1" and they'd start getting the stream. Every minute you'd then see a query to 229.1.1.1 from the router saying "hey local segment, is there anyone here that still wants this?" and it's the host's job to say "I do!". The 224.0.0.1 is a special case, basically a "hey are they any multicast listeners out here?" kind of thing.
Back to Occam's razor... It's probably a misconfiguration (if memory serves, it's just one command like "ip pim enable") or a field trial (IP TV?) and the address is again a misconfiguration or them using the address space for management.
Sean
On Thu, Feb 13, 2014 at 10:36 PM, Trevor Cordes trevor@tecnopolis.cawrote:
On 2014-02-13 Adam Thompson wrote:
By definition, all IGMP packets will have a TTL of 1 - they're only supposed to discover directly-connected hosts that also run IGMP.
Right, but why would Shaw put out IGMP onto a wire consisting of nothing but "clients" -- home users? I can see them running IGMP on the other (upstream) side of their router, but why talk IGMP to clients when none should be talking IGMP?
No. IGMP is a completely normal thing, and is not indicative of a "hacker".
Except the bogus DoD source IP.
Also, doesn't explain why these packets just started the other day, with nary a one seen before that. Also weird that no one else is seeing these, it's just my Shaw segment?
A perfect example of why I've never found it worthwhile to log incoming traffic that got dropped.
I log drops with a severe rate limit, so I can get a glimpse of what garbage comes my way, without filling the disk or getting DDoS'd. It's interesting! _______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable