wg-multicast - Re: MSDP Storm
Subject: All things related to multicast
List archive
- From: Beau Williamson <>
- To: Bill Nickless <>,
- Cc: Bill Nickless <>, Bill Owens <>, Greg Shepherd <>, Kevin Thompson <>, , mbone mail list <>
- Subject: Re: MSDP Storm
- Date: Thu, 18 Jan 2001 10:47:13 -0800
Folks,
As I see it, we have two types of attacks that we need to look into:
1) Bogus Senders (ala the 224/8 port probe attacks or similar)
2) Bogus Joiners (especially bad for the SSM range)
Bill and I discussed 2) in previous emails. The point was that we need to
handle not only case 2) but case 1) as well as some other less likely but
still problematic cases.
In the end, I think that these problems (at least 1 and 2 above) should be
attacked at the first-hop router. Rate-limiting is one way and might be the
quickest and easiest to implement. Admission control would be the other way
but requires a lot more work.
Beau
At 04:11 PM 1/17/2001, Bill Nickless wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>At 06:03 PM 1/17/2001 -0500, Marshall Eubanks wrote:
>
>>Bill;
>>
>> You did indeed, now you seem clairvoyant.
>
>Aiee! I didn't mean to leave that impression--my earlier notes contained a
>write-up of the problem in detail that didn't go to some of the lists,
>which is why I reposted them to the wider audience.
>
>>BUT, it seems to me that at base this is not a MSDP issue - it is an IGMP
>>issue. Wouldn't it make more sense (although, alas, more work) to rate
>>limit IGMP joins ?
>
>Good question.
>
>I agree with Dave Meyer's comment, that the general problem is a lack of
>rate limiting on routing protocols subject to flooding, including
>MSDP. Should we include IGMP in this list of protocols that should be rate
>limitable? I'm not sure.
>
>In this case, though, I don't think the problem could have been solved by
>rate limiting on IGMP. The MSDP SAs were created from PIM Register
>packets, which were made from actual IP data packets by the (broken, ugly)
>scanner transmitted. Thus, IGMP wasn't necessary for the problem to spread
>widely.
>
>That being said, I would be interested to know if the kernel on the
>compromised hosts did actually do IGMP joins to receive any replies, or if
>the non-multicast-aware scanner did enough of the right socket calls.
>===
>Bill Nickless http://www.mcs.anl.gov/people/nickless +1 630 252 7390
>PGP:0E 0F 16 80 C5 B1 69 52 E1 44 1A A5 0E 1B 74 F7
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
>
>iQCVAwUBOmY0mawgm7ipJDXBAQH3NQP+LXJKuzGeRNFVv9MC36fKUdLs+CkV/IgX
>+AueKEVXeimx6+Cvr0iJMkUcUAV+w3OPQd+PtROX/wLEYrSeqbtF+MLtjzGOq3B0
>9ZXdXGi9BwPomsornB87BpNJEb+RfsTBjYGYw/of0nWJcBLiPZM+xc9qxuHXl1lk
>by+qEghwjtg=
>=iNis
>-----END PGP SIGNATURE-----
- Re: MSDP Storm, (continued)
- Re: MSDP Storm, Magnus Danielson, 01/19/2001
- Re: MSDP Storm, Jon Crowcroft, 01/19/2001
- Re: MSDP Storm, Magnus Danielson, 01/19/2001
- Re: MSDP Storm, Chris Wedgwood, 01/20/2001
- Re: MSDP Storm, Marshall Eubanks, 01/20/2001
- Re: MSDP Storm, Jose A. Dominguez, 01/20/2001
- Re: MSDP Storm, Marshall Eubanks, 01/19/2001
- Re: MSDP Storm, Jared Mauch, 01/19/2001
- Re: MSDP Storm, Philip Pishioneri, 01/19/2001
- Re: MSDP Storm, Magnus Danielson, 01/22/2001
- Re: MSDP Storm, Beau Williamson, 01/18/2001
- Re: MSDP Storm, Toerless Eckert, 01/17/2001
- Re: MSDP Storm, David Meyer, 01/17/2001
- Re: MSDP Storm, Marshall Eubanks, 01/17/2001
- Re: MSDP Storm, Lucy E. Lynch, 01/17/2001
Archive powered by MHonArc 2.6.16.