RE: IGMP DOS Attack
From: Cushing, David (David.Cushing@hitachisoftware.com)Date: 04/11/02
- Previous message: Headley, Kevin: "RE: IGMP DOS Attack"
- Maybe in reply to: D.Stout@EU.HNS.COM: "IGMP DOS Attack"
- Next in thread: Dave Dittrich: "Re: IGMP DOS Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Apr 2002 16:18:39 -0400 From: "Cushing, David" <David.Cushing@hitachisoftware.com> To: <D.Stout@EU.HNS.COM>, <incidents@securityfocus.com>
Dave,
It would have been helpful if you told us what rule failed. I am
assuming it was sid 272 or 273, which are scantily documented on the
snort site.
If this is the correct issue, a fragmented IGMP packet would cause
windows to crash. See these links for more detail on the vulnerability:
http://online.securityfocus.com/archive/1/17444
http://online.securityfocus.com/search?submit=yes&category=22&order=ASC&
query=IGMP
Whether these packets are malicious or not is still open, but it is
looking fishy. If I am reading things right (and that is questionable
:), the snort rules are looking for the first two bytes of the IGMP
packet to be "00 00" or "02 00". The include file I checked,
/usr/include/netinet/igmp.h, implies a good packet would start with 0x11
- 0x1f. The current specs for IGMP also agree with all packets starting
with a hex "1":
http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1112.html
http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2236.html
From an incident response point of view I am curious what you found when
you researched the 6 hosts you mentioned. Are they routers (i.e. you
might expect some IGMP traffic), or are they @home DSL users? This
might be a strong hint into whether or not there is a real issue.
If this is ongoing, you should capture the full packet(s) for analysis.
Regards,
David
> -----Original Message-----
> From: D.Stout@EU.HNS.COM [mailto:D.Stout@EU.HNS.COM]
> Sent: Thursday, April 11, 2002 6:45 AM
> To: incidents@securityfocus.com
> Subject: IGMP DOS Attack
>
>
> After installing a Snort IDS system on a network link I am
> responsible
> for , I left it running over night to see how many alerts would be
> generated.
> When I returned in the morning I found 450,000 alerts from
> snort detailing
> a IGMP DoS attack from 6 different source hosts. I cannot find any
> information about this DoS attack (DDoS if you consider 6
> hosts at same
> time).
>
> Has anybody else had an IGMP DoS attack starting at 5:23 CET ?
> Does anybody know what causes this ?
> What are the implications of this (other than pure bandwidth
> consumption)
>
> I will continue to search for info, but please help me if
> you know what
> this is.
>
> Dave Stout
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Headley, Kevin: "RE: IGMP DOS Attack"
- Maybe in reply to: D.Stout@EU.HNS.COM: "IGMP DOS Attack"
- Next in thread: Dave Dittrich: "Re: IGMP DOS Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
