[AG-TECH] DDOS attacks

Osland, CD (Chris) C.D.Osland at rl.ac.uk
Thu Oct 24 11:06:32 CDT 2002


Not sure whether it's qute a DDOS attack, but if someone joins
an AG session and, on the fly, changes the encoding format of
one of their video capture sessions to a higher quality, everyone's
AG session is blown out of the water (reload of Display machine
typically required).

I realise DDOS is probably more conventionally used to refer to
sustained traffic, but thought you might like to know about this.
Queens University Belfast did this by mistake.  We then reran a
controlled experiment and it happened again, so appears repeatable
(the break occurs within a second of setting the higher quality).

Cheers

Chris 

____________________________________________________________________
Chris Osland                                               Office tel: +44
(0) 1235 446565
Digital Media and Access Grid                          Medialab tel: +44 (0)
1235 446459
BIT Department                                     Access Grid room tel: +44
(0) 1235 445666
e-mail:   C.D.Osland at rl.ac.uk                                       Fax: +44
(0) 1235 445597
CLRC Rutherford Appleton Laboratory (Bldg. R18)
Chilton, DIDCOT, Oxon OX11 0QX, UK
[The contents of this email are confidential and are for the use of the
intended recipient only.
If you are not the intended recipient do not take any action on it or show
it to anyone else,
but return this email to the sender and delete your copy of it.]





-----Original Message-----
From: Bill Nickless [mailto:nickless at mcs.anl.gov]
Sent: 24 October 2002 16:28
To: Robert Olson
Cc: Michael Daw; AG Technical Developers
Subject: Re: [AG-TECH] DDOS attacks


At 10:13 AM 10/24/2002 -0500, Robert Olson wrote:
>If someone wanted to send 200 Mbps of multicast into a group, the network 
>would do its best to deliver it to all listeners, likely causing
disruption.

Yes.  And the network should be robust enough to do so without falling 
over, since 200 Mbps of multicast traffic may be completely legitimate for 
lots of good reasons.  (This is one of the arguments against the current 
data-driven multicast forwarding routing model.)

Unlike the current unicast routing model, it's much harder to successfully 
inject spoofed source-address packets into a group.  This pretty much has 
to be done on the same subnet as the spoofed legitimate host address, 
because sparse-mode source-rooted forwarding trees will try to form towards 
the legitimate subnet of the source address.  In other words, multicast RPF 
isn't just a good idea -- it's the law!  :-)

>I suspect that one could forge sender information, perhaps by spoofing PIM 
>- any insights on this Bill?

Yes, we've experienced this.  Remember about 18 months ago, there was a 
badly written worm that would try to make TCP connections to thousands of 
destinations (that often happened to be multicast group addresses)?  The 
result was an explosion in the size of MSDP caches around the 'Net.  Cisco 
quickly came out with a fix that let operators restrict the number of MSDP 
SAs accepted from a given peer, and Juniper people solved the problem by 
rate-limiting the MSDP TCP sessions.

>--bob
>
>At 04:11 PM 10/24/2002 +0100, Michael Daw wrote:
>>I'm being asked a theoretical question about the potential for DDOS
attacks
>>over multicast. Could a malicious person bring down an AG session in this
>>way, should they so wish? Or is it not really possible without revealing
who
>>you are?
>>
>>-----------------------oOo-----------------------
>>Michael Daw
>>Computer Services for Academic Research (CSAR)
>>
>>Manchester Computing, Kilburn Building,
>>University of Manchester, Manchester M13 9PL, UK
>>
>>Tel: +44 (0)161 275 7026
>>Fax: +44 (0)161 275 6800
>>Email: michael.daw at man.ac.uk
>>
>>http://www.csar.cfs.ac.uk/staff/daw/
>>-----------------------OoO-----------------------

===
Bill Nickless    http://www.mcs.anl.gov/people/nickless      +1 630 252 7390
PGP:0E 0F 16 80 C5 B1 69 52 E1 44 1A A5 0E 1B 74 F7     nickless at mcs.anl.gov



More information about the ag-tech mailing list