(I just got back from 3 weeks of vacation so apologies
for not replying to this earlier :)
Jari Arkko writes:
[...]
> A multicast group X contains the receivers R1, R2, ... RN.
> The victim node is V - not necessarily anything to do with
> X. The attacker is A. All nodes are different. Now, attacker A
> sends a multicast packet with source = V and destination = X.
> As the receivers R1 to RN or routers close to them receive the
> messages, they complain about the message and ALL respond using
> ICMPv6 Packet Too Big or Parameter Problem, causing V to be
> flooded with messages.
[...]
> I'm not sure if I've missed something that prevents an
> attacker from doing this. But if they can do this,
> it is very hard to prevent the consequences since (a)
> there is amplification involved, (b) each ICMPv6 sender
> sends just one packet so rate limitation won't help, and
> (c) the victim's pipe may be full because of the messages
> and therefore any policies the victim may have on throwing
> out them won't help.
>
> What isn't clear to me though is for instance, which
> nodes can send such multicast traffic like this. I
> would assume at least those who are on the same network
> with the real sender of the group, and at least when
> the V is the same as the real sender. But how far beyond
> this you can take the attack?
All currently deployed (that I know of) multicast routing protocols
employ RPF checks in some form. Roughly, this means that A
has to be either on the same subnet as V (in which case all
receivers will respond), or else somewhere on the multicast
distribution tree used by V (in which case only those
receivers down the subtree past that point will respond).
If A is not on the distribution tree, then the attack
generally won't work. There are a few exceptions, though,
such as sending the Packet Too Big in a register message
to the victim's RP in PIMSM. If V is not actually sourcing traffic
to the group, and receivers are in V's domain, then a large
volume could be continuously generated. (If V is sourcing
traffic, then typically registers would fail, as the RP
will be getting data natively and drop registers.)
If the receivers are external to V's domain, then
typically MSDP will only let the first Packet Too Big message
reach the receivers. There may be ways to configure filters
at the RPs to prevent these things, I don't know about
current implementations.
-Dave
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
