[AG-TECH] DDOS attacks

Bill Nickless nickless at mcs.anl.gov
Tue Oct 29 14:37:30 CST 2002 

At 09:28 AM 10/24/2002 -0700, Jay Beavers wrote:
>What about sending false IGMP messages?  Perhaps in deny mode where
>unjoin is continually sent to deny the routing of legitimate traffic?

I'll have to look again, but I'm pretty sure IGMP leave messages don't 
instantly stop traffic into the local Ethernet subnet.  I believe it's the 
duty of other IGMP speakers to watch the wire and express their interest 
before some timeout.

>Think of the semi-knowledgeable attacker scenarios.  If someone knew
>that important traffic was generally occurring on a limited set of
>IP/Port combinations (like a list of AG Venues for instance, easily
>accessible), how much damage could they do?  Could they do it
>anonymously?

They could get the traffic, but they couldn't cause traffic to be sent 
anywhere other than their local subnet.  (Unless, of course, they used an 
IP source address on that subnet.)

>Could they convince an edge router that 1000 other routers wanted that
>existing multicast traffic, overloading the network bandwidth between
>the edge router and the POP?

Multicast traffic forwarding in the modern Internet is receiver-interest 
driven.  A receiver has to register interest in a group for any traffic on 
that group to come towards the receiver.

>This is a scenario that worries me, far more than an "overload traffic"
>unicast style DDoS attacks.
>
>  - jcb
>
>-----Original Message-----
>From: Bill Nickless [mailto:nickless at mcs.anl.gov]
>Sent: Thursday, October 24, 2002 8:28 AM
>To: Robert Olson
>Cc: Michael Daw; AG Technical Developers
>Subject: Re: [AG-TECH] DDOS attacks
>
>At 10:13 AM 10/24/2002 -0500, Robert Olson wrote:
> >If someone wanted to send 200 Mbps of multicast into a group, the
>network
> >would do its best to deliver it to all listeners, likely causing
>disruption.
>
>Yes.  And the network should be robust enough to do so without falling
>over, since 200 Mbps of multicast traffic may be completely legitimate
>for
>lots of good reasons.  (This is one of the arguments against the current
>
>data-driven multicast forwarding routing model.)
>
>Unlike the current unicast routing model, it's much harder to
>successfully
>inject spoofed source-address packets into a group.  This pretty much
>has
>to be done on the same subnet as the spoofed legitimate host address,
>because sparse-mode source-rooted forwarding trees will try to form
>towards
>the legitimate subnet of the source address.  In other words, multicast
>RPF
>isn't just a good idea -- it's the law!  :-)
>
> >I suspect that one could forge sender information, perhaps by spoofing
>PIM
> >- any insights on this Bill?
>
>Yes, we've experienced this.  Remember about 18 months ago, there was a
>badly written worm that would try to make TCP connections to thousands
>of
>destinations (that often happened to be multicast group addresses)?  The
>
>result was an explosion in the size of MSDP caches around the 'Net.
>Cisco
>quickly came out with a fix that let operators restrict the number of
>MSDP
>SAs accepted from a given peer, and Juniper people solved the problem by
>
>rate-limiting the MSDP TCP sessions.
>
> >--bob
> >
> >At 04:11 PM 10/24/2002 +0100, Michael Daw wrote:
> >>I'm being asked a theoretical question about the potential for DDOS
>attacks
> >>over multicast. Could a malicious person bring down an AG session in
>this
> >>way, should they so wish? Or is it not really possible without
>revealing who
> >>you are?
> >>
> >>-----------------------oOo-----------------------
> >>Michael Daw
> >>Computer Services for Academic Research (CSAR)
> >>
> >>Manchester Computing, Kilburn Building,
> >>University of Manchester, Manchester M13 9PL, UK
> >>
> >>Tel: +44 (0)161 275 7026
> >>Fax: +44 (0)161 275 6800
> >>Email: michael.daw at man.ac.uk
> >>
> >>http://www.csar.cfs.ac.uk/staff/daw/
> >>-----------------------OoO-----------------------
>
>===
>Bill Nickless    http://www.mcs.anl.gov/people/nickless      +1 630 252
>7390
>PGP:0E 0F 16 80 C5 B1 69 52 E1 44 1A A5 0E 1B 74 F7
>nickless at mcs.anl.gov

===
Bill Nickless    http://www.mcs.anl.gov/people/nickless      +1 630 252 7390
PGP:0E 0F 16 80 C5 B1 69 52 E1 44 1A A5 0E 1B 74 F7     nickless at mcs.anl.gov

More information about the ag-tech mailing list