IGMP DOS Attack

From: D.Stout@EU.HNS.COM
Date: 04/11/02 

To: incidents@securityfocus.com
From: D.Stout@EU.HNS.COM
Date: Thu, 11 Apr 2002 11:45:24 +0100

  After installing a Snort IDS system on a network link I am responsible
for , I left it running over night to see how many alerts would be
generated.
When I returned in the morning I found 450,000 alerts from snort detailing
a IGMP DoS attack from 6 different source hosts. I cannot find any
information about this DoS attack (DDoS if you consider 6 hosts at same
time).

  Has anybody else had an IGMP DoS attack starting at 5:23 CET ?
  Does anybody know what causes this ?
  What are the implications of this (other than pure bandwidth
consumption)

  I will continue to search for info, but please help me if you know what
this is.

Dave Stout
Internet Security Engineer

#**********************************************************************
This message is intended solely for the use of the individual
or organisation to whom it is addressed. It may contain
privileged or confidential information. If you have received
this message in error, please notify the originator immediately.
If you are not the intended recipient, you should not use,
copy, alter, or disclose the contents of this message. All
information or opinions expressed in this message and/or
any attachments are those of the author and are not
necessarily those of Hughes Network Systems Limited,
including its European subsidiaries and affiliates. Hughes
Network Systems Limited, including its European
subsidiaries and affiliates accepts no responsibility for loss
or damage arising from its use, including damage from virus.
#**********************************************************************

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com