wg-multicast - Re: MSDP Storm
Subject: All things related to multicast
List archive
- From: Marshall Eubanks <>
- To: Bill Nickless <>
- Cc: Bill Owens <>, Greg Shepherd <>, Kevin Thompson <>, , mbone mail list <>
- Subject: Re: MSDP Storm
- Date: Wed, 17 Jan 2001 21:42:53 -0500
- Organization: Multicast Technologies
Bill Nickless wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> At 06:03 PM 1/17/2001 -0500, Marshall Eubanks wrote:
>
> >Bill;
> >
> > You did indeed, now you seem clairvoyant.
>
> Aiee! I didn't mean to leave that impression--my earlier notes contained a
> write-up of the problem in detail that didn't go to some of the lists,
> which is why I reposted them to the wider audience.
>
> >BUT, it seems to me that at base this is not a MSDP issue - it is an IGMP
> >issue. Wouldn't it make more sense (although, alas, more work) to rate
> >limit IGMP joins ?
>
> Good question.
>
> I agree with Dave Meyer's comment, that the general problem is a lack of
> rate limiting on routing protocols subject to flooding, including
> MSDP. Should we include IGMP in this list of protocols that should be rate
> limitable? I'm not sure.
>
> In this case, though, I don't think the problem could have been solved by
> rate limiting on IGMP. The MSDP SAs were created from PIM Register
> packets, which were made from actual IP data packets by the (broken, ugly)
> scanner transmitted. Thus, IGMP wasn't necessary for the problem to spread
> widely.
>
> That being said, I would be interested to know if the kernel on the
> compromised hosts did actually do IGMP joins to receive any replies, or if
> the non-multicast-aware scanner did enough of the right socket calls.
> ===
I was also thinking about doing the same thing in SSM with joins to
some target IP address,S - just cycling through all of the SSM /8 G's. That
would (necessarily ?) involve IGMP.
One thing that's not clear to me is - was the RP in the afflicted
domains involved ?
That is one potential advantage to ISM - if an attack has to go through
the RP, there
are a lot fewer machines to put rate limiting on.
Marshall
> Bill Nickless http://www.mcs.anl.gov/people/nickless +1 630 252 7390
> PGP:0E 0F 16 80 C5 B1 69 52 E1 44 1A A5 0E 1B 74 F7
>
>
Multicast Technologies, Inc.
10301 Democracy Lane, Suite 201
Fairfax, Virginia 22030
Phone : 703-293-9624 Fax : 703-293-9609
e-mail :
http://www.on-the-i.com
- RE: MSDP Storm, (continued)
- RE: MSDP Storm, Kevin Thompson, 01/17/2001
- RE: MSDP Storm, Greg Shepherd, 01/17/2001
- Re: MSDP Storm, Marshall Eubanks, 01/17/2001
- Re: MSDP Storm, José Domínguez, 01/17/2001
- Re: MSDP Storm, Marshall Eubanks, 01/17/2001
- Re: MSDP Storm, Marty Hoag, 01/17/2001
- RE: MSDP Storm, Bill Owens, 01/17/2001
- RE: MSDP Storm, Bill Nickless, 01/17/2001
- Re: MSDP Storm, Marshall Eubanks, 01/17/2001
- Re: MSDP Storm, Bill Nickless, 01/17/2001
- Re: MSDP Storm, Marshall Eubanks, 01/17/2001
- Re: MSDP Storm, Bill Nickless, 01/17/2001
- Re: MSDP Storm, John Meylor, 01/18/2001
- Finding the worm, Bill Owens, 01/18/2001
- Re: MSDP Storm, Marshall Eubanks, 01/17/2001
- RE: MSDP Storm, Michael Luby, 01/18/2001
- Re: MSDP Storm, Marshall Eubanks, 01/18/2001
- Re: MSDP Storm, Bill Owens, 01/18/2001
- Re: MSDP Storm, Dave Hartzell, 01/18/2001
- Re: MSDP Storm, Marshall Eubanks, 01/18/2001
- Re: MSDP Storm, Matthew Davy, 01/18/2001
- RE: MSDP Storm, Greg Shepherd, 01/17/2001
- RE: MSDP Storm, Kevin Thompson, 01/17/2001
- Re: MSDP Storm, Magnus Danielson, 01/18/2001
Archive powered by MHonArc 2.6.16.