Starting Feb 4 I've been receiving on my Shaw modem connection an IP protocol 2 (IGMP) packet to 224.0.0.1 (all hosts multicast) from 22.34.128.1 (US DoD!!) every 1 minute on the dot. I've gotten over 10,000 so far. My iptables DROPs them all, but I'm wondering WTF? Is something misconfigured on the net with the DoD or Shaw or am I being targeted by DoD for some reason?
Packets to 224.0.0.1 are only for the local subnet and should not be forwarded. If they were sourced from the DoD, they should never have made it to your site. Also took a quick look at a route server, that network isn't in the global tables.
Occam's razor would suggest that it's a misconfiguration or some other crap on the network.
As an aside, I once had an RSA token server that had its config file corrupted. When we turned it on, it would spew packets at the DoD. After a brief panic, then a laugh, we figured out the problem and the DOS went away. Wondering if there's some pattern in the numbers.
Sean
On Tue, Feb 11, 2014 at 5:48 AM, Trevor Cordes trevor@tecnopolis.ca wrote:
Starting Feb 4 I've been receiving on my Shaw modem connection an IP protocol 2 (IGMP) packet to 224.0.0.1 (all hosts multicast) from 22.34.128.1 (US DoD!!) every 1 minute on the dot. I've gotten over 10,000 so far. My iptables DROPs them all, but I'm wondering WTF? Is something misconfigured on the net with the DoD or Shaw or am I being targeted by DoD for some reason? _______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
On 2014-02-11 Sean Walberg wrote:
Packets to 224.0.0.1 are only for the local subnet and should not be
Hmm, I didn't see that in my (brief) multicast research, but I'll take your word for it. I did find that TTL=1 means local-subnet-only and these packets are indeed showing a TTL of 1.
Occam's razor would suggest that it's a misconfiguration or some other crap on the network.
Or I guess someone sending out spoof packets hoping to find someone running IGMP to mess with?
DOS went away. Wondering if there's some pattern in the numbers.
Well, it's still going on, every minute on the button.
I just did some more checks and see that I have the MAC for the source of the packets, and looking in arp I see the MAC belongs to my next-hop, a Shaw router. So either it is generating these, or this packet is indeed crossing a subnet boundary. No?
Can anyone else on Shaw (obviously without a non-linux router in the way) do a quick check to see they get these packets also?
Hey, what if it's some attempt by Shaw to detect and shutdown hackers trying to run IGMP?
As long as the black helicopters aren't outside my house, this is more of a curiosity than a big concern. Well, except it is putting 208 bytes into my /v/l/messages every minute. ;-)
Just clued in here... IGMP... Every minute...
IGMP is normal traffic. Your kernel listens to IGMP. It's used to figure out if there are any nodes listening on multicast groups so that all the routers can build their multicast tree. Every minute makes sense because that's the normal interval for a multicast enabled router. If you pull the packets into WireShark you might get a sense of which groups it's querying for.
The DoD source is a puzzling one. My most-reasonable-non-tinfoil-hat-guess is that Shaw is using addresses from that space for internal management or some loopbacks and that was the interface picked for the source address (most IGMP queries and responses are sent to a mcast address so the source address is irrelevant). If you think "boy Sean, who would be that stupid?" then consider that APNIC had to reserve 1.1.1.0/24 because so many people use 1.1.1.1 and so forth on their networks (guilty!).
I don't see any multicast traffic on my host, so maybe your router having it enabled is a test or a mistake. Shaw has lots of crap on their network... Look at your ARP traffic for example, you're probably getting many pps of ARP for stuff not even on your local subnet. It's been that way for at least 8 years.
Sean
On Thu, Feb 13, 2014 at 2:52 AM, Trevor Cordes trevor@tecnopolis.ca wrote:
On 2014-02-11 Sean Walberg wrote:
Packets to 224.0.0.1 are only for the local subnet and should not be
Hmm, I didn't see that in my (brief) multicast research, but I'll take your word for it. I did find that TTL=1 means local-subnet-only and these packets are indeed showing a TTL of 1.
Occam's razor would suggest that it's a misconfiguration or some other crap on the network.
Or I guess someone sending out spoof packets hoping to find someone running IGMP to mess with?
DOS went away. Wondering if there's some pattern in the numbers.
Well, it's still going on, every minute on the button.
I just did some more checks and see that I have the MAC for the source of the packets, and looking in arp I see the MAC belongs to my next-hop, a Shaw router. So either it is generating these, or this packet is indeed crossing a subnet boundary. No?
Can anyone else on Shaw (obviously without a non-linux router in the way) do a quick check to see they get these packets also?
Hey, what if it's some attempt by Shaw to detect and shutdown hackers trying to run IGMP?
As long as the black helicopters aren't outside my house, this is more of a curiosity than a big concern. Well, except it is putting 208 bytes into my /v/l/messages every minute. ;-) _______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
On 14-02-13 02:52 AM, Trevor Cordes wrote:
Hmm, I didn't see that in my (brief) multicast research, but I'll take your word for it. I did find that TTL=1 means local-subnet-only and these packets are indeed showing a TTL of 1.
Your google-fu is weak, as usual. From the Wikipedia page on "Multicast address": 224.0.0.1 The/All Hosts/multicast group addresses all hosts on the same network segment.
By definition, all IGMP packets will have a TTL of 1 - they're only supposed to discover directly-connected hosts that also run IGMP.
I just did some more checks and see that I have the MAC for the source of the packets, and looking in arp I see the MAC belongs to my next-hop, a Shaw router. So either it is generating these, or this packet is indeed crossing a subnet boundary. No?
The router will be generating them. Only multicast-capable routers should ever generate IGMP packets. (Some switches intercept and occasionally modify them, but that's an acceptable special case.)
Hey, what if it's some attempt by Shaw to detect and shutdown hackers trying to run IGMP?
No. IGMP is a completely normal thing, and is not indicative of a "hacker".
As long as the black helicopters aren't outside my house, this is more of a curiosity than a big concern. Well, except it is putting 208 bytes into my /v/l/messages every minute. ;-)
A perfect example of why I've never found it worthwhile to log incoming traffic that got dropped.
On 2014-02-13 Adam Thompson wrote:
By definition, all IGMP packets will have a TTL of 1 - they're only supposed to discover directly-connected hosts that also run IGMP.
Right, but why would Shaw put out IGMP onto a wire consisting of nothing but "clients" -- home users? I can see them running IGMP on the other (upstream) side of their router, but why talk IGMP to clients when none should be talking IGMP?
No. IGMP is a completely normal thing, and is not indicative of a "hacker".
Except the bogus DoD source IP.
Also, doesn't explain why these packets just started the other day, with nary a one seen before that. Also weird that no one else is seeing these, it's just my Shaw segment?
A perfect example of why I've never found it worthwhile to log incoming traffic that got dropped.
I log drops with a severe rate limit, so I can get a glimpse of what garbage comes my way, without filling the disk or getting DDoS'd. It's interesting!
Right, but why would Shaw put out IGMP onto a wire consisting of nothing but "clients" -- home users? I can see them running IGMP on the other (upstream) side of their router, but why talk IGMP to clients when none should be talking IGMP?
Hosts speak IGMP, too. It's used to indicate interest in a multicast group. Normally the host would send something saying "hey sign me up for the stream at 229.1.1.1" and they'd start getting the stream. Every minute you'd then see a query to 229.1.1.1 from the router saying "hey local segment, is there anyone here that still wants this?" and it's the host's job to say "I do!". The 224.0.0.1 is a special case, basically a "hey are they any multicast listeners out here?" kind of thing.
Back to Occam's razor... It's probably a misconfiguration (if memory serves, it's just one command like "ip pim enable") or a field trial (IP TV?) and the address is again a misconfiguration or them using the address space for management.
Sean
On Thu, Feb 13, 2014 at 10:36 PM, Trevor Cordes trevor@tecnopolis.cawrote:
On 2014-02-13 Adam Thompson wrote:
By definition, all IGMP packets will have a TTL of 1 - they're only supposed to discover directly-connected hosts that also run IGMP.
Right, but why would Shaw put out IGMP onto a wire consisting of nothing but "clients" -- home users? I can see them running IGMP on the other (upstream) side of their router, but why talk IGMP to clients when none should be talking IGMP?
No. IGMP is a completely normal thing, and is not indicative of a "hacker".
Except the bogus DoD source IP.
Also, doesn't explain why these packets just started the other day, with nary a one seen before that. Also weird that no one else is seeing these, it's just my Shaw segment?
A perfect example of why I've never found it worthwhile to log incoming traffic that got dropped.
I log drops with a severe rate limit, so I can get a glimpse of what garbage comes my way, without filling the disk or getting DDoS'd. It's interesting! _______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
On 2014-02-13 Sean Walberg wrote:
Hosts speak IGMP, too. It's used to indicate interest in a multicast group. Normally the host would send something saying "hey sign me up for the stream at 229.1.1.1" and they'd start getting the stream. Every minute you'd then see a query to 229.1.1.1 from the router saying "hey local segment, is there anyone here that still wants this?" and it's the host's job to say "I do!". The 224.0.0.1 is a special case, basically a "hey are they any multicast listeners out here?" kind of thing.
Thanks for the tutorial, I've always been real hazy on multicast, having never had a need for it. Your theories are most likely correct.
Correct me if I'm wrong though: while hosts may speak IGMP for multicast, it's something that is basically never used by average-Joe home users and thus Shaw would most likely disable. As per one of your theories, it would really only make sense if Shaw was testing a multicast TV-over-IP concept.
-
Adam Thompson -
Sean Walberg -
Trevor Cordes