Dave Thaler wrote:
>
> (I just got back from 3 weeks of vacation so apologies
> for not replying to this earlier :)
>
> Jari Arkko writes:
> [...]
> > A multicast group X contains the receivers R1, R2, ... RN.
> > The victim node is V - not necessarily anything to do with
> > X. The attacker is A. All nodes are different. Now, attacker A
> > sends a multicast packet with source = V and destination = X.
> > As the receivers R1 to RN or routers close to them receive the
> > messages, they complain about the message and ALL respond using
> > ICMPv6 Packet Too Big or Parameter Problem, causing V to be
> > flooded with messages.
> [...]
> > I'm not sure if I've missed something that prevents an
> > attacker from doing this. But if they can do this,
> > it is very hard to prevent the consequences since (a)
> > there is amplification involved, (b) each ICMPv6 sender
> > sends just one packet so rate limitation won't help, and
> > (c) the victim's pipe may be full because of the messages
> > and therefore any policies the victim may have on throwing
> > out them won't help.
> >
> > What isn't clear to me though is for instance, which
> > nodes can send such multicast traffic like this. I
> > would assume at least those who are on the same network
> > with the real sender of the group, and at least when
> > the V is the same as the real sender. But how far beyond
> > this you can take the attack?
>
> All currently deployed (that I know of) multicast routing protocols
> employ RPF checks in some form. Roughly, this means that A
> has to be either on the same subnet as V (in which case all
> receivers will respond), or else somewhere on the multicast
> distribution tree used by V (in which case only those
> receivers down the subtree past that point will respond).
> If A is not on the distribution tree, then the attack
> generally won't work. There are a few exceptions, though,
> such as sending the Packet Too Big in a register message
> to the victim's RP in PIMSM. If V is not actually sourcing traffic
> to the group, and receivers are in V's domain, then a large
> volume could be continuously generated. (If V is sourcing
Unless the RP immediately switches to the source tree when it receives
the first 'Packet Too Big' packet (which is a typical configuration). In
this case there will only be a burst towards V. Correct?
dirk
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
