malformed packet alert

Tags:
Application security
configuration
Database
Encryption
Firewalls
Forensics
Incident response
Instant Messaging
Intrusion management
Microsoft Exchange
Network security
patching
PEN testing
Platform Security
Secure Coding
Security
VPN
vulnerability management
Wireless
I get this message from my router every 2 minuets or so. I tried blocking to ports that it attacks and the IP but the major issue is that, that IP is a broadcast IP, so i don't know where it is coming from. What my question is, is how do is stop these alerts (short of removing my e-mail from the router) and what do they mean. Malformed or unhandled IP packet dropped - ***.***.176.198, 0, WAN - 224.0.0.1 - IP Protocol 2

Answer Wiki

Thanks. We'll let you know when a new response is added.

Protocol 2 is IGMP (Internet Group Management Protocol)
It is defined by RFC 1112. This is usually used for multi-casting (but now always).

I’d recommend that you look at http://www.iana.org/assignments/igmp-type-numbers
to further see what this is that you’re concerned about.

The destination address of 224.*-whatever should alert you to the fact that this is a multicast.

Although it could be an attack (wearing my paranoid hat here), It’s generally unlikely that it IS an attack.

Check the source address, (which you’ve obfuscated), and then go through your firewall logs and see if anyone is sending requests to anything even CLOSE to that address-wise.

Good luck, and good hunting,

Bob

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Carnage6669
    the IP that i have hidden is the IP to my Router it is always to router from the Multicast IP
    0 pointsBadges:
    report
  • Carnage6669
    the IP that i have hidden is the IP to my Router it is always to router from the Multicast IP
    0 pointsBadges:
    report
  • SWeidner
    If you have Multicast enabled on your router, or IGMP enabled on switches on your network, you will see this type of traffic. To eliminate the alert, you will need to either disable multicast on the router or disable IGMP on your switch(es). In order to determine the source, you could capture one of the packets and examine the source MAC address. Regards, SLW
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following