[RndTbl] DoD multicast?
Adam Thompson
athompso at athompso.net
Thu Feb 13 21:28:59 CST 2014
On 14-02-13 02:52 AM, Trevor Cordes wrote:
> Hmm, I didn't see that in my (brief) multicast research, but I'll take
> your word for it. I did find that TTL=1 means local-subnet-only and
> these packets are indeed showing a TTL of 1.
Your google-fu is weak, as usual. From the Wikipedia page on "Multicast
address":
224.0.0.1 The/All Hosts/multicast group addresses all hosts on the same
network segment.
By definition, all IGMP packets will have a TTL of 1 - they're only
supposed to discover directly-connected hosts that also run IGMP.
>
> I just did some more checks and see that I have the MAC for the source
> of the packets, and looking in arp I see the MAC belongs to my
> next-hop, a Shaw router. So either it is generating these, or this
> packet is indeed crossing a subnet boundary. No?
The router will be generating them. Only multicast-capable routers
should ever generate IGMP packets. (Some switches intercept and
occasionally modify them, but that's an acceptable special case.)
> Hey, what if it's some attempt by Shaw to detect and shutdown hackers
> trying to run IGMP?
No. IGMP is a completely normal thing, and is not indicative of a "hacker".
> As long as the black helicopters aren't outside my house, this is more
> of a curiosity than a big concern. Well, except it is putting 208
> bytes into my /v/l/messages every minute. ;-)
A perfect example of why I've never found it worthwhile to log incoming
traffic that got dropped.
--
-Adam Thompson
athompso at athompso.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.muug.mb.ca/pipermail/roundtable/attachments/20140213/ce1c4e7f/attachment.html>
More information about the Roundtable
mailing list