Weird Incoming packets
Steve B
> 1. The packet protocol is IP IGMP. What the heck is IGMP?
Internet Group Management Protocol - it is primarly used in multicasting -
here is an exceprt from the Internet Encyclopedia
Internet Group Management Protocol (IGMP), documented in Appendix I of RFC
1112, allows Internet hosts to
participate in multicasting. RFC 1112 describes the basic of multicasting
IP traffic, including the format of
multicast IP addresses, multicast Ethernet encapsulation, and the concept
of a host group.
A host group is the set of hosts interested in traffic for a particular
multicast address. Important multicast addresses
are documented in the most recent Assigned Numbers RFC, currently RFC
1700. IGMP allows a router to
determine which host groups have members on a given network segment.
The exchange of multicast packets between routers is not addressed by
IGMP.
>
> 2. Both packets contain Option Type: 0x9404 Router Alert. What is a
> router alert? I've never heard of this.
Mumbo Jumbo.
>
> 3. What is the association between IGMP and router alert?
All part of the same big picture.
>
> 4. Why are these packets, which are coming from my gateway supposedly
> going to USC in Marina Del Rey, ending up in my pc?
> 5. What does my ISP, or my pc, have to do with USC? My pc is free of
> trojans, viruses, and spyware. Remember, these are incoming packets
> from the web to my pc. My pc does not send out any packets in
> response. These packetskeep coming when my pc is turned off.
> 6. I've had two phone conversations with my ISP about these packets,
> The result is, since they do no harm to my pc, don't worry about it.
> I don't like this up yours attitude. Each conversation, the tech said
> the routers and all other ISP equipment were functioning normally.
> They could see no problems on their end. I've concluded that my ISP
> knows what these packets are. and it appears they are doing absolutely
> nothing to rid the network of this junk.
> 7. Can these packets be targeted? Or, are these a broadcast, where
> everybody on the subnet gets blasted with this darn junk?
> 8. The packet sniffer shows no source or destination ports for these
> packets. How can packets travel without port information? Really
> weird.
> 9. Is the packet source spoofed? I don't want to raise wholly hell
> if someone other than my ISP is responsible.
> 10. Who can I complain to? I want to stop the emission of this
> junk?
> .
Well, basically, it is kind f hard to answer your questions for the most
part. From what I can read(and anyone reading this, please correct me if I
am wrong)it looks as if your cable modme is wide open on the network.
Bottom line, it is either a boradcast strom, and for some odd reason it is
ending up on your segment(if I were you, I would find someone in your area
to see if they are getting the same thing)or there is a multicast that
continues to bombard your modem.
At any rate, I don;t know that much about networks to answer this one
fully, but I can tell you this, get some personal firewall software(black
ice, zone alarm for NT, and a slew of others for linux)Blac ICe is the
easiest. Block the address and I garuntee that you wont get garnage from
them anymore.
Liam Devlin
>
> I have been seeing a lot of incoming traffic on my cable modem. The
> receive light is activated. The send light is not activated at all.
> The incoming does not affect the firewall (ZL BID, or CPF). A
> firewall looks at the packets as normal traffic. Weird. The packets
> do not appear to be causing any problems, other than driving me nuts.
>
> The problem started last week Friday (Sept 15). The packets come in
> groups of two. A minute or so later, two more packets are received.
> The process is never ending. When I shut the pc down at night, the
> packets are still coming. This morning I noticed there were no
> incoming packets until the pc logged in with the DHCP servers. It
> appears the packet transmitting machine will broadcast to a pc only if
> it logs in with the DHCP server. Are these packets coming from a
> misconfigured DHCP server?
>
> I put up a packet sniffer to monitor and analyze the packets. The
> packets come in groups of two. The description is:
>
> Source gw35.tone.metc.net Dest IP 224.0.0.1
> Source gw35.tone.merc.net Destination ALL-ROUTERS.MCAST.NET
>
> About 1.5 minutes the two packets are again entering my pc. The
> process is repeated over and again.
>
> Contents of packet Source gw35.tone.metc.net Dest IP 224.0.0.1
> Flags: 0x00
> Status: 0x00
> Packet Length: 64
> Timestamp: 10:14:43.469000 09/18/2000
> Ethernet Header
> Destination: 01:00:5E:00:00:01
> Source: 00:00:K7:71:C7:AC
> Protocol Type: 0x0800 IP
> IP Header - Internet Protocol Datagram
> Version: 4
> Header Length: 6 ( 24 bytes)
> Precedence: 0
> Type of Service: %0000
> Unused: %0
> Total Length: 32
> Identifier: 35392
> Fragmentation Flags: %000
> Fragment Offset: 0 ( 0 bytes)
> Time To Live: 1
> IP Type: 0x02 IGMP
> Header Checksum: 0xBDE0
> Source IP Address: xxx.xxx.xx.p gw35.tone.metc.net
> Dest. IP Address: 224.0.0.1
> Internet Datagram Options:
> Option Type: 0x9404 Router Alert
> Value: 0 Router shall examine packet
> IGMP - Internet Group Management Protocol
> Version: 1
> Type: 1 Host Membership Query
> Unused: 100
> Checksum: 0xEE9B
> Group Address: 0.0.0.0 (ignored)
> Extra bytes (Padding):
> Data: (14 bytes)
> Frame Check Sequence: 0x00000000
>
> Contents of packet Source gw35.tone.merc.net DestALL-ROUTERS.MCAST.NET
>
> Flags: 0x00
> Status: 0x00
> Packet Length: 64
> Timestamp: 10:14:52.199000 09/18/2000
> Ethernet Header
> Destination: 01:00:5E:00:00:02
> Source: 00:00:K7:71:C7:AC
> Protocol Type: 0x0800 IP
> IP Header - Internet Protocol Datagram
> Version: 4
> Header Length: 6 ( 24 bytes)
> Precedence: 0
> Type of Service: %0000
> Unused: %0
> Total Length: 32
> Identifier: 35393
> Fragmentation Flags: %000
> Fragment Offset: 0 ( 0 bytes)
> Time To Live: 1
> IP Type: 0x02 IGMP
> Header Checksum: 0xBDDE
> Source IP Address: xxx.xxx.xx.p gw35.tone.metc.net
> Dest. IP Address: 224.0.0.2 ALL-ROUTERS.MCAST.NET
> Internet Datagram Options:
> Option Type: 0x9404 Router Alert
> Value: 0 Router shall examine packet
> IGMP - Internet Group Management Protocol
> Version: 1
> Type: 2 Host Membership Report
> Unused: 0
> Checksum: 0x0DFD
> Group Address: 224.0.0.2 ALL-ROUTERS.MCAST.NET
> Extra bytes (Padding):
> Data: (14 bytes)
> Frame Check Sequence: 0x00000000
>
> The first packet comes from my ISP gateway and goes to IP 224.0.0.1
>
> DNS of 224.0.0.1 nslookup 224.0.0.1
> Canonical name: ALL-SYSTEMS.MCAST.NET
>
> WhoIs of 224.0.0.1 Trying 224.0.0 at ARIN
> University of Southern California (NET-MCAST-NET)
> Information Sciences Institute
> 4676 Admiralty Way
> Marina Del Rey, CA 90292-6695
>
> The above DNS and WhoIs for ALL-SYSTEMS.MCAST.NET is the same as above
> for IP 224.0.0.1.
>
> Here is my questions:
> 1. The packet protocol is IP IGMP. What the heck is IGMP?
Internet Group Management Protocol. According to Norton's Internet
Security it's a protocol sometimes exploited by hackers to hang a
victim's system. IIRC NIS blocks it by default (or else I checked it as
soon as I read their description). If you have a cable modem you MUST
have a firewall. Zonealarm is good & free for personal use. Norton is
also good, but isn't free. It does include their Anti-Virus software, so
it's not a bad deal, IMHO.
Have you tried any of the firewall sites? Thinking they may have info
the way the anti-virus people do. You might try Steve Gibson's Shields
Up site & email him with the details of these packets. He might have
some info about them.
LiamD
Rick Murphy
> The problem started last week Friday (Sept 15). The packets come in
> groups of two. A minute or so later, two more packets are received.
modem.
What you're seeing is normal, expected multicast advertisement traffic.
If your ISP was to block this, you couldn't use multicast tools such as
MBONE. It's entirely harmless.
>
> Here is my questions:
> 1. The packet protocol is IP IGMP. What the heck is IGMP?
This has been answered - IGMP is the group management protocol that
multicast nodes use to join a multicast group; once you join, all
traffic sent to that group gets sent to you.
> 2. Both packets contain Option Type: 0x9404 Router Alert. What is a
> router alert? I've never heard of this.
The IGMP message is telling you the address of your local multicast
router.
> 3. What is the association between IGMP and router alert?
See above.
> 4. Why
are these packets, which are coming from my gateway supposedly
> going to USC in Marina Del Rey, ending up in my pc?
The ALL-ROUTERS.mcast.net is a common address used for all alerts of
this type. 224.0.0.1 is globally registered by the Internet Software
Consortium, which used to be hosted by the University of Southern
California. If you do a lookup for 192.168.1.0, you'll find that USC
owns that net too (that's one of the private address spaces listed in
RFC 1918); USC didn't send this traffic, they just own the network
address. Think if it like '911' - almost all police systems in the US
use 911 for emergency calls; all multicast systems use 224.0.0.1 and the
routers take care of delivering the traffic to their local hosts. It's a
shared address.
> 5. What does my ISP, or my pc, have to do with USC? My pc is free of
> trojans, viruses, and spyware. Remember, these are incoming packets
> from the web to my pc. My pc does not send out any packets in
> response. These packetskeep coming when my pc is turned off.
Nothing. Whatever is detecting these is alarming you unnecessarily.
> 6. I've had two phone conversations with my ISP about these packets,
> The result is, since they do no harm to my pc, don't worry about it.
> I don't like this up yours attitude. Each conversation, the tech said
> the routers and all other ISP equipment were functioning normally.
> They could see no problems on their end. I've concluded that my ISP
> knows what these packets are. and it appears they are doing absolutely
> nothing to rid the network of this junk.
It's not junk, and they shouldn't be getting rid of it. I'd dump an ISP
in a heartbeat if they started blocking traffic.
> 7. Can these packets be targeted? Or, are these a broadcast, where
> everybody on the subnet gets blasted with this darn junk?
No, they can't be targeted - they're a broadcast. "Blasted" is a bit
strong, wouldn't you say?
> 8. The packet sniffer shows no source or destination ports for these
> packets. How can packets travel without port information? Really
> weird.
IP protocols don't all have port numbers. TCP and UDP have them, ICMP
doesn't, for example.
> 9. Is the packet source spoofed? I don't want to raise wholly hell
> if someone other than my ISP is responsible.
Not spoofed.
> 10. Who can I complain to? I want to stop the emission of this
> junk?
Stopping the "junk" may remove a service one of your neighbors on the
cable considers important. I'd suggest configuring your firewall or
whatever is detecting these to ignore it and move on.
-Rick
mls_at_fusionsites_dot_com
wrote:
>pau...@orty.org wrote:
>>
>> I have been seeing a lot of incoming traffic on my cable modem. The
>> receive light is activated. The send light is not activated at all.
>> The incoming does not affect the firewall (ZL BID, or CPF). A
>> firewall looks at the packets as normal traffic. Weird. The packets
>> do not appear to be causing any problems, other than driving me nuts.
>>
<snip>
If you have a cable modem you MUSThave a firewall. Zonealarm is good &
free for personal use. Norton is also good, but isn't free. It does
include their Anti-Virus software, so it's not a bad deal, IMHO.
Why is this any more true with cable than with PPP? DSL? If nothing is
'listening' then why does it make any difference?
Does cable do something dial-up does not?
Thanx...
mls
John Navas
In <39c7aa60....@news.istep.com>, mls at fusionsites dot com
wrote:
>If you have a cable modem you MUSThave a firewall. Zonealarm is good &
>free for personal use. Norton is also good, but isn't free. It does
>include their Anti-Virus software, so it's not a bad deal, IMHO.
>
>Why is this any more true with cable than with PPP?
Since it's always on, the exposure is greater. The risk is the same.
>DSL?
Ditto.
>If nothing is
>'listening' then why does it make any difference?
It doesn't for inbound exploits, but you are still vulnerable to
outbound exploits (trojans, spyware).
>Does cable do something dial-up does not?
No.
--
Best regards,
John Navas <http://navasgrp.home.att.net/>
CABLE MODEM/DSL GUIDE: <http://Cable-DSL.home.att.net/>
John Navas
If there are no ports, then any decent NAT/PAT should block them.
FWIW, I've never seen anything get in past my SonicWALL that I didn't
specifically allow.
In <7nrfssstfpc75n2rk...@4ax.com>, pau...@orty.org wrote:
>On Tue, 19 Sep 2000 00:50:06 GMT, Steve B <ntha...@intrex.net> wrote:
>>
>>Well, basically, it is kind f hard to answer your questions for the most
>>part. From what I can read(and anyone reading this, please correct me if I
>>am wrong)it looks as if your cable modme is wide open on the network.
>Not wide open in the sense you are thinking. But the end result is
>the same. Put up any firewall you want, the darn packets are not
>stopped. I've put up ZL, AtGuard, CPF, and BID, one at a time of
>course. The packets are not stopped, I suppose they go through, as
>though the firewall didn't exist.
>>Bottom line, it is either a boradcast strom, and for some odd reason it is
>>ending up on your segment(if I were you, I would find someone in your area
>>to see if they are getting the same thing)or there is a multicast that
>>continues to bombard your modem.
>>
>>At any rate, I don;t know that much about networks to answer this one
>>fully, but I can tell you this, get some personal firewall software(black
>>ice, zone alarm for NT, and a slew of others for linux)Blac ICe is the
>Yesterday, I had BID up and running. Even on Paranoid, the packets go
>right through it. Presently I have CPF 2.06 up and running, the
>packets go right through it. I've got CPF set to log all I/O traffic.
>The packets do not get blocked, nor do they get logged as traffic. I
>tried making a Rule for CPF to block the packets, but IGMP is not part
>of CPF's vocabulary. Zone Alarm2.1.25 is no better.
>
>Am I correct in saying that software firewalls need a port in order to
>block incoming packets. These IGMP packets have no source or
>destination ports. They just exist.
>>easiest. Block the address and I garuntee that you wont get garnage from
>>them anymore.
>>
>I've thought about putting up a cheap $75 Linksys router. The modem
>would reside between the router and pc. Let the router take the hits.
>Does a router have the ability to stop these pesky IGMP packets?
Christian Altenbach
> I've thought about putting up a cheap $75 Linksys router. The modem
> would reside between the router and pc. Let the router take the hits.
> Does a router have the ability to stop these pesky IGMP packets?
I am not sure about the linksys, but on the Zyxel P31x series you can just
specify protocol 2 (=IGMP) in the protocol filter rules and drop these.
Works like a charm.
As others said before, destination IPs in the range
224.0.0.0-239.255.255.255 are multicast addresses. They are NOT targeted at
your box (or USC, or anyone else directly). Similar to broadcasts, these are
put on the wire for anyone who cares to listen.
There is a lot of administrative traffic on your local loop, e.g. ARP
requests, DHCP requests, etc. The newer DOCSIS modems tend to filter those
because the enduser has no need and use for them (OTOH, old Lancity cable
modems passed them right throught). Multicasts need to be passed, because
the cable modem has no way of telling if they could be important to you.
This administrative traffic is mostly invisible. I am always amazed how
quiet the line is behind the cable modem. I have seen other networks full of
SAP broadcasts, protocol 89 (=OSPF) packets, NetBIOS broadcasts, etc. yet
the speed is great.
Don't get too worked up about these packets, they are tiny and harmless. You
sound like a guy who goes to a rock concert and then complains that somebody
in the back row makes too much noise chewing his popcorn.
All this said, the presence of IGMP on you loop is probably due to some
misconfiguration. Maybe a user hooked up a router, the router is lonely and
is trying to chat with others: "Anyone in here speak IGMP"?! ... poor guy,
nobody answers ...
Cheers
Christian
John Navas
<alte...@mediaone.net.invalid> wrote:
>All this said, the presence of IGMP on you loop is probably due to some
>misconfiguration. Maybe a user hooked up a router, the router is lonely and
>is trying to chat with others: "Anyone in here speak IGMP"?! ... poor guy,
>nobody answers ...
Then on the other hand it may be due to some new exploit. Complacency
is the enemy of security.
Christian Altenbach
""John Navas" <spamf...@navasgrp.dublin.ca.us> wrote in message
news:1iXx5.4833$mJ6.2...@typhoon.sonic.net...
>
> Then on the other hand it may be due to some new exploit. Complacency
> is the enemy of security.
There is a IGMP based vulnerability in windwos95, NT4, see e.g.
http://www.microsoft.com/technet/win95/tools/igmpw95.asp
I assume that could be exploited. A multicast destination is probably not
specific enough for a targeted attack to a far host.
Pauncho, here is some easy reading on the mechanism of multicasting. IGMP is
an essential ingredient for managing multicasts, and is thus most likely
benign.
ftp://ftp.netlab.ohio-state.edu/pub/jain/courses/cis788-97/ip_multicast/inde
x.htm
enjoy
C.