Re: IGMP DOS Attack

From: John Kristoff (
Date: 04/11/02

Date: Thu, 11 Apr 2002 15:45:08 -0500
From: John Kristoff <>

On Thu, 11 Apr 2002 15:53:03 -0400 wrote:

> Anybody *else* remember a certain worm randomly picking IP addresses
> to attack, and causing IGMP meltdowns when it happened to pick a
> 224.x.x.x address, as all the multicast-aware hosts would start asking
> about the group? I remember a 2AM firestorm that took several of our
> routers and part of Abeliene with it...

It was the Ramen worm and it scanned random address space, including
that within It wasn't IGMP, but rather problems with
excessive session announcement state between MSDP peers. Marshall
Eubanks gave a good presentation at a recent NANOG about IP multicast
issues including the impact of Ramen on the IP multicast enabled


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: