[AG-TECH] DDOS attacks
Osland, CD (Chris)
C.D.Osland at rl.ac.uk
Thu Oct 24 11:06:32 CDT 2002
Not sure whether it's qute a DDOS attack, but if someone joins
an AG session and, on the fly, changes the encoding format of
one of their video capture sessions to a higher quality, everyone's
AG session is blown out of the water (reload of Display machine
typically required).
I realise DDOS is probably more conventionally used to refer to
sustained traffic, but thought you might like to know about this.
Queens University Belfast did this by mistake. We then reran a
controlled experiment and it happened again, so appears repeatable
(the break occurs within a second of setting the higher quality).
Cheers
Chris
____________________________________________________________________
Chris Osland Office tel: +44
(0) 1235 446565
Digital Media and Access Grid Medialab tel: +44 (0)
1235 446459
BIT Department Access Grid room tel: +44
(0) 1235 445666
e-mail: C.D.Osland at rl.ac.uk Fax: +44
(0) 1235 445597
CLRC Rutherford Appleton Laboratory (Bldg. R18)
Chilton, DIDCOT, Oxon OX11 0QX, UK
[The contents of this email are confidential and are for the use of the
intended recipient only.
If you are not the intended recipient do not take any action on it or show
it to anyone else,
but return this email to the sender and delete your copy of it.]
-----Original Message-----
From: Bill Nickless [mailto:nickless at mcs.anl.gov]
Sent: 24 October 2002 16:28
To: Robert Olson
Cc: Michael Daw; AG Technical Developers
Subject: Re: [AG-TECH] DDOS attacks
At 10:13 AM 10/24/2002 -0500, Robert Olson wrote:
>If someone wanted to send 200 Mbps of multicast into a group, the network
>would do its best to deliver it to all listeners, likely causing
disruption.
Yes. And the network should be robust enough to do so without falling
over, since 200 Mbps of multicast traffic may be completely legitimate for
lots of good reasons. (This is one of the arguments against the current
data-driven multicast forwarding routing model.)
Unlike the current unicast routing model, it's much harder to successfully
inject spoofed source-address packets into a group. This pretty much has
to be done on the same subnet as the spoofed legitimate host address,
because sparse-mode source-rooted forwarding trees will try to form towards
the legitimate subnet of the source address. In other words, multicast RPF
isn't just a good idea -- it's the law! :-)
>I suspect that one could forge sender information, perhaps by spoofing PIM
>- any insights on this Bill?
Yes, we've experienced this. Remember about 18 months ago, there was a
badly written worm that would try to make TCP connections to thousands of
destinations (that often happened to be multicast group addresses)? The
result was an explosion in the size of MSDP caches around the 'Net. Cisco
quickly came out with a fix that let operators restrict the number of MSDP
SAs accepted from a given peer, and Juniper people solved the problem by
rate-limiting the MSDP TCP sessions.
>--bob
>
>At 04:11 PM 10/24/2002 +0100, Michael Daw wrote:
>>I'm being asked a theoretical question about the potential for DDOS
attacks
>>over multicast. Could a malicious person bring down an AG session in this
>>way, should they so wish? Or is it not really possible without revealing
who
>>you are?
>>
>>-----------------------oOo-----------------------
>>Michael Daw
>>Computer Services for Academic Research (CSAR)
>>
>>Manchester Computing, Kilburn Building,
>>University of Manchester, Manchester M13 9PL, UK
>>
>>Tel: +44 (0)161 275 7026
>>Fax: +44 (0)161 275 6800
>>Email: michael.daw at man.ac.uk
>>
>>http://www.csar.cfs.ac.uk/staff/daw/
>>-----------------------OoO-----------------------
===
Bill Nickless http://www.mcs.anl.gov/people/nickless +1 630 252 7390
PGP:0E 0F 16 80 C5 B1 69 52 E1 44 1A A5 0E 1B 74 F7 nickless at mcs.anl.gov
More information about the ag-tech
mailing list