<div dir="ltr"><div>Just clued in here... IGMP... Every minute... </div><div><br></div><div>IGMP is normal traffic. Your kernel listens to IGMP. It's used to figure out if there are any nodes listening on multicast groups so that all the routers can build their multicast tree. Every minute makes sense because that's the normal interval for a multicast enabled router. If you pull the packets into WireShark you might get a sense of which groups it's querying for.</div>
<div><br></div><div>The DoD source is a puzzling one. My most-reasonable-non-tinfoil-hat-guess is that Shaw is using addresses from that space for internal management or some loopbacks and that was the interface picked for the source address (most IGMP queries and responses are sent to a mcast address so the source address is irrelevant). If you think "boy Sean, who would be that stupid?" then consider that APNIC had to reserve <a href="http://1.1.1.0/24">1.1.1.0/24</a> because so many people use 1.1.1.1 and so forth on their networks (guilty!).</div>
<div><br></div><div>I don't see any multicast traffic on my host, so maybe your router having it enabled is a test or a mistake. Shaw has lots of crap on their network... Look at your ARP traffic for example, you're probably getting many pps of ARP for stuff not even on your local subnet. It's been that way for at least 8 years.</div>
<div><br></div><div>Sean</div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Feb 13, 2014 at 2:52 AM, Trevor Cordes <span dir="ltr"><<a href="mailto:trevor@tecnopolis.ca" target="_blank">trevor@tecnopolis.ca</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On 2014-02-11 Sean Walberg wrote:<br>
> Packets to 224.0.0.1 are only for the local subnet and should not be<br>
<br>
</div>Hmm, I didn't see that in my (brief) multicast research, but I'll take<br>
your word for it. I did find that TTL=1 means local-subnet-only and<br>
these packets are indeed showing a TTL of 1.<br>
<div class=""><br>
> Occam's razor would suggest that it's a misconfiguration or some<br>
> other crap on the network.<br>
<br>
</div>Or I guess someone sending out spoof packets hoping to find someone<br>
running IGMP to mess with?<br>
<div class=""><br>
> DOS went away. Wondering if there's some pattern in the numbers.<br>
<br>
</div>Well, it's still going on, every minute on the button.<br>
<br>
I just did some more checks and see that I have the MAC for the source<br>
of the packets, and looking in arp I see the MAC belongs to my<br>
next-hop, a Shaw router. So either it is generating these, or this<br>
packet is indeed crossing a subnet boundary. No?<br>
<br>
Can anyone else on Shaw (obviously without a non-linux router in the<br>
way) do a quick check to see they get these packets also?<br>
<br>
Hey, what if it's some attempt by Shaw to detect and shutdown hackers<br>
trying to run IGMP?<br>
<br>
As long as the black helicopters aren't outside my house, this is more<br>
of a curiosity than a big concern. Well, except it is putting 208<br>
bytes into my /v/l/messages every minute. ;-)<br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
Roundtable mailing list<br>
<a href="mailto:Roundtable@muug.mb.ca">Roundtable@muug.mb.ca</a><br>
<a href="http://www.muug.mb.ca/mailman/listinfo/roundtable" target="_blank">http://www.muug.mb.ca/mailman/listinfo/roundtable</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Sean Walberg <<a href="mailto:sean@ertw.com" target="_blank">sean@ertw.com</a>> <a href="http://ertw.com/" target="_blank">http://ertw.com/</a>
</div>