[AG-TECH] DDOS attacks
Bill Nickless
nickless at mcs.anl.gov
Thu Oct 24 10:27:44 CDT 2002
At 10:13 AM 10/24/2002 -0500, Robert Olson wrote:
>If someone wanted to send 200 Mbps of multicast into a group, the network
>would do its best to deliver it to all listeners, likely causing disruption.
Yes. And the network should be robust enough to do so without falling
over, since 200 Mbps of multicast traffic may be completely legitimate for
lots of good reasons. (This is one of the arguments against the current
data-driven multicast forwarding routing model.)
Unlike the current unicast routing model, it's much harder to successfully
inject spoofed source-address packets into a group. This pretty much has
to be done on the same subnet as the spoofed legitimate host address,
because sparse-mode source-rooted forwarding trees will try to form towards
the legitimate subnet of the source address. In other words, multicast RPF
isn't just a good idea -- it's the law! :-)
>I suspect that one could forge sender information, perhaps by spoofing PIM
>- any insights on this Bill?
Yes, we've experienced this. Remember about 18 months ago, there was a
badly written worm that would try to make TCP connections to thousands of
destinations (that often happened to be multicast group addresses)? The
result was an explosion in the size of MSDP caches around the 'Net. Cisco
quickly came out with a fix that let operators restrict the number of MSDP
SAs accepted from a given peer, and Juniper people solved the problem by
rate-limiting the MSDP TCP sessions.
>--bob
>
>At 04:11 PM 10/24/2002 +0100, Michael Daw wrote:
>>I'm being asked a theoretical question about the potential for DDOS attacks
>>over multicast. Could a malicious person bring down an AG session in this
>>way, should they so wish? Or is it not really possible without revealing who
>>you are?
>>
>>-----------------------oOo-----------------------
>>Michael Daw
>>Computer Services for Academic Research (CSAR)
>>
>>Manchester Computing, Kilburn Building,
>>University of Manchester, Manchester M13 9PL, UK
>>
>>Tel: +44 (0)161 275 7026
>>Fax: +44 (0)161 275 6800
>>Email: michael.daw at man.ac.uk
>>
>>http://www.csar.cfs.ac.uk/staff/daw/
>>-----------------------OoO-----------------------
===
Bill Nickless http://www.mcs.anl.gov/people/nickless +1 630 252 7390
PGP:0E 0F 16 80 C5 B1 69 52 E1 44 1A A5 0E 1B 74 F7 nickless at mcs.anl.gov
More information about the ag-tech
mailing list