[Dshield] Multicasts from your ISP

Johannes B. Ullrich jullrich at sans.org
Tue Feb 24 20:52:33 GMT 2004


On Tue, 2004-02-24 at 11:52, Alan Frayer wrote:
> One of my clients has been steadily logging multicasts (dest. 224.0.0.9,
> port 520) from an IP belonging to their small ISP. The nature of the
> multicasts suggests a router that is trying to discover a new route
> through RIP, but the multicasts have been occurring for a week.

IMHO, these multicast packets are probably harmless.

RIP v2 uses multicast packets to 224.0.0.9. This IP is used to
send data to all RIP v2 capable routers within their network.
RIP v1 on the other hand would just use plain broadcast
(255.255.255.255).

The fact that your client sees this traffic is not that unusual/bad. The
ISP could filter it (well, thats why multicast is used vs. broadcast),
but doesn't have to.

RIP is usually used to allow routers within an enterprise size network
to tell each other which router is closest to a given target address.
It allows for fail over to automatically reroute traffic if a particular
router fails and another router (which may be 'further away) can pick
up the traffic. (RIP is limited to 15 hops)

While RIP-2 uses multicast, it does not use IGMP to negotiate any
groups. Instead, it just uses the fixed 224.0.0.9 address to reach
all other routers on a network.
 

-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040224/6c5fe700/attachment.bin


More information about the list mailing list