Hi Vishwas,
The multicast RPF algorithm allows a multicast router to accept
a multicast datagram only on the interface where it would send a unicast
datagram to the source of that datagram. The first multicast router
receiving this specific spoofed source datagram will notice that the
packet is not coming in the interface it is supposed to come in from,
and it will drop it. That said, this attack is possible if you are
trying to attack somebody in the same network as you. But you might as
well directly attack the source with as many packets as the number of
members in a multicast group.
Cheers
Suresh
-----Original Message-----
From: Vishwas Manral [mailto:[EMAIL PROTECTED]
Sent: May 28, 2007 3:59 PM
To: Pekka Savola
Cc: [EMAIL PROTECTED]; [email protected]
Subject: Re: Destination options attack
Hi Pekka,
I am not sure if RPF can catch it all.
Its not the same as bombarding the source itself. With the attack I
mention, we can actually send one packet (which goes to all members of
the multicast group). This will cause all the members of the multicast
group to send a reply to one source.
So the amplification factor is the number of multicast members in a
group. For large groups this number may be huge. Do let me know what I
am missing?
Thanks,
Vishwas
On 5/28/07, Pekka Savola <[EMAIL PROTECTED]> wrote:
> On Mon, 28 May 2007, Vishwas Manral wrote:
> > I noticed one more security issue like the Destination options
> > header attack. A packet is sent by using a destination header as a
> > Multicast Group address, and source address of the machine to be
> > attacked. A random Option type is added to the destination Options
> > header, which has the highest order two bits as 10 (send ICMP Reply
to the source).
> >
> > The above would cause ICMP packets to be sent to the source address
> > from all members of the multicast group to the source. This could
> > very eaily overwhelm the source
>
> AFAICS, I don't see how this attack would be very effective.
> Multicast forwarding algorithms check (for loop prevention) that a
> packet destined to a multicast address comes from a topologically
> RPF-wise correct direction. So unless you assume a router has been
> compromised (and all bets are off) basically you can only spoof an
> address inside the subnet where the attacker is, but I don't see this
> as a very useful attack myself because it'd be more effective to
> attack directly.
>
>
> --
> Pekka Savola "You each name yourselves king, yet the
> Netcore Oy kingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
>
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
