[RndTbl] DoD multicast?

Trevor Cordes trevor at tecnopolis.ca
Thu Feb 13 22:36:04 CST 2014


On 2014-02-13 Adam Thompson wrote:
> By definition, all IGMP packets will have a TTL of 1 - they're only 
> supposed to discover directly-connected hosts that also run IGMP.

Right, but why would Shaw put out IGMP onto a wire consisting of
nothing but "clients" -- home users?  I can see them running IGMP on
the other (upstream) side of their router, but why talk IGMP to clients
when none should be talking IGMP?

> No.  IGMP is a completely normal thing, and is not indicative of a
> "hacker".

Except the bogus DoD source IP.

Also, doesn't explain why these packets just started the other day,
with nary a one seen before that.  Also weird that no one else is
seeing these, it's just my Shaw segment?

> A perfect example of why I've never found it worthwhile to log
> incoming traffic that got dropped.

I log drops with a severe rate limit, so I can get a glimpse of what
garbage comes my way, without filling the disk or getting DDoS'd.  It's
interesting!


More information about the Roundtable mailing list