[Dshield] Multicasts from your ISP
Johannes B. Ullrich
jullrich at sans.org
Tue Feb 24 20:52:33 GMT 2004
On Tue, 2004-02-24 at 11:52, Alan Frayer wrote:
> One of my clients has been steadily logging multicasts (dest. 220.127.116.11,
> port 520) from an IP belonging to their small ISP. The nature of the
> multicasts suggests a router that is trying to discover a new route
> through RIP, but the multicasts have been occurring for a week.
IMHO, these multicast packets are probably harmless.
RIP v2 uses multicast packets to 18.104.22.168. This IP is used to
send data to all RIP v2 capable routers within their network.
RIP v1 on the other hand would just use plain broadcast
The fact that your client sees this traffic is not that unusual/bad. The
ISP could filter it (well, thats why multicast is used vs. broadcast),
but doesn't have to.
RIP is usually used to allow routers within an enterprise size network
to tell each other which router is closest to a given target address.
It allows for fail over to automatically reroute traffic if a particular
router fails and another router (which may be 'further away) can pick
up the traffic. (RIP is limited to 15 hops)
While RIP-2 uses multicast, it does not use IGMP to negotiate any
groups. Instead, it just uses the fixed 22.214.171.124 address to reach
all other routers on a network.
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 837 2807 jullrich at sans.org
contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040224/6c5fe700/attachment.bin
More information about the list