[RndTbl] DoD multicast?

[Trevor Cordes]

On 2014-02-11 Sean Walberg wrote:
> Packets to 224.0.0.1 are only for the local subnet and should not be

Hmm, I didn't see that in my (brief) multicast research, but I'll take
your word for it.  I did find that TTL=1 means local-subnet-only and
these packets are indeed showing a TTL of 1.

> Occam's razor would suggest that it's a misconfiguration or some
> other crap on the network.

Or I guess someone sending out spoof packets hoping to find someone
running IGMP to mess with?

> DOS went away. Wondering if there's some pattern in the numbers.

Well, it's still going on, every minute on the button.

I just did some more checks and see that I have the MAC for the source
of the packets, and looking in arp I see the MAC belongs to my
next-hop, a Shaw router.  So either it is generating these, or this
packet is indeed crossing a subnet boundary.  No?

Can anyone else on Shaw (obviously without a non-linux router in the
way) do a quick check to see they get these packets also?

Hey, what if it's some attempt by Shaw to detect and shutdown hackers
trying to run IGMP?

As long as the black helicopters aren't outside my house, this is more
of a curiosity than a big concern.  Well, except it is putting 208
bytes into my /v/l/messages every minute.  ;-)