[AG-TECH] DDOS attacks

Bill Nickless nickless at mcs.anl.gov
Thu Oct 24 10:27:44 CDT 2002 

At 10:13 AM 10/24/2002 -0500, Robert Olson wrote:
>If someone wanted to send 200 Mbps of multicast into a group, the network 
>would do its best to deliver it to all listeners, likely causing disruption.

Yes.  And the network should be robust enough to do so without falling 
over, since 200 Mbps of multicast traffic may be completely legitimate for 
lots of good reasons.  (This is one of the arguments against the current 
data-driven multicast forwarding routing model.)

Unlike the current unicast routing model, it's much harder to successfully 
inject spoofed source-address packets into a group.  This pretty much has 
to be done on the same subnet as the spoofed legitimate host address, 
because sparse-mode source-rooted forwarding trees will try to form towards 
the legitimate subnet of the source address.  In other words, multicast RPF 
isn't just a good idea -- it's the law!  :-)

>I suspect that one could forge sender information, perhaps by spoofing PIM 
>- any insights on this Bill?

Yes, we've experienced this.  Remember about 18 months ago, there was a 
badly written worm that would try to make TCP connections to thousands of 
destinations (that often happened to be multicast group addresses)?  The 
result was an explosion in the size of MSDP caches around the 'Net.  Cisco 
quickly came out with a fix that let operators restrict the number of MSDP 
SAs accepted from a given peer, and Juniper people solved the problem by 
rate-limiting the MSDP TCP sessions.

>--bob
>
>At 04:11 PM 10/24/2002 +0100, Michael Daw wrote:
>>I'm being asked a theoretical question about the potential for DDOS attacks
>>over multicast. Could a malicious person bring down an AG session in this
>>way, should they so wish? Or is it not really possible without revealing who
>>you are?
>>
>>-----------------------oOo-----------------------
>>Michael Daw
>>Computer Services for Academic Research (CSAR)
>>
>>Manchester Computing, Kilburn Building,
>>University of Manchester, Manchester M13 9PL, UK
>>
>>Tel: +44 (0)161 275 7026
>>Fax: +44 (0)161 275 6800
>>Email: michael.daw at man.ac.uk
>>
>>http://www.csar.cfs.ac.uk/staff/daw/
>>-----------------------OoO-----------------------

===
Bill Nickless    http://www.mcs.anl.gov/people/nickless      +1 630 252 7390
PGP:0E 0F 16 80 C5 B1 69 52 E1 44 1A A5 0E 1B 74 F7     nickless at mcs.anl.gov

More information about the ag-tech mailing list