<div dir="ltr"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span style="font-family:arial,sans-serif;font-size:12.727272033691406px">Right, but why would Shaw put out IGMP onto a wire consisting of<br>
</span><span style="font-family:arial,sans-serif;font-size:12.727272033691406px">nothing but "clients" -- home users? I can see them running IGMP on<br></span><span style="font-family:arial,sans-serif;font-size:12.727272033691406px">the other (upstream) side of their router, but why talk IGMP to clients<br>
</span><span style="font-family:arial,sans-serif;font-size:12.727272033691406px">when none should be talking IGMP?</span></blockquote><div><br></div><div>Hosts speak IGMP, too. It's used to indicate interest in a multicast group. Normally the host would send something saying "hey sign me up for the stream at 229.1.1.1" and they'd start getting the stream. Every minute you'd then see a query to 229.1.1.1 from the router saying "hey local segment, is there anyone here that still wants this?" and it's the host's job to say "I do!". The 224.0.0.1 is a special case, basically a "hey are they any multicast listeners out here?" kind of thing.</div>
<div><br></div><div>Back to Occam's razor... It's probably a misconfiguration (if memory serves, it's just one command like "ip pim enable") or a field trial (IP TV?) and the address is again a misconfiguration or them using the address space for management.</div>
<div><br></div><div>Sean </div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Feb 13, 2014 at 10:36 PM, Trevor Cordes <span dir="ltr"><<a href="mailto:trevor@tecnopolis.ca" target="_blank">trevor@tecnopolis.ca</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On 2014-02-13 Adam Thompson wrote:<br>
> By definition, all IGMP packets will have a TTL of 1 - they're only<br>
> supposed to discover directly-connected hosts that also run IGMP.<br>
<br>
</div>Right, but why would Shaw put out IGMP onto a wire consisting of<br>
nothing but "clients" -- home users? I can see them running IGMP on<br>
the other (upstream) side of their router, but why talk IGMP to clients<br>
when none should be talking IGMP?<br>
<div class=""><br>
> No. IGMP is a completely normal thing, and is not indicative of a<br>
> "hacker".<br>
<br>
</div>Except the bogus DoD source IP.<br>
<br>
Also, doesn't explain why these packets just started the other day,<br>
with nary a one seen before that. Also weird that no one else is<br>
seeing these, it's just my Shaw segment?<br>
<div class=""><br>
> A perfect example of why I've never found it worthwhile to log<br>
> incoming traffic that got dropped.<br>
<br>
</div>I log drops with a severe rate limit, so I can get a glimpse of what<br>
garbage comes my way, without filling the disk or getting DDoS'd. It's<br>
interesting!<br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
Roundtable mailing list<br>
<a href="mailto:Roundtable@muug.mb.ca">Roundtable@muug.mb.ca</a><br>
<a href="http://www.muug.mb.ca/mailman/listinfo/roundtable" target="_blank">http://www.muug.mb.ca/mailman/listinfo/roundtable</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Sean Walberg <<a href="mailto:sean@ertw.com" target="_blank">sean@ertw.com</a>> <a href="http://ertw.com/" target="_blank">http://ertw.com/</a>
</div>