Hi Pekka, I am not sure if RPF can catch it all.
Its not the same as bombarding the source itself. With the attack I mention, we can actually send one packet (which goes to all members of the multicast group). This will cause all the members of the multicast group to send a reply to one source. So the amplification factor is the number of multicast members in a group. For large groups this number may be huge. Do let me know what I am missing? Thanks, Vishwas On 5/28/07, Pekka Savola <[EMAIL PROTECTED]> wrote:
On Mon, 28 May 2007, Vishwas Manral wrote: > I noticed one more security issue like the Destination options header > attack. A packet is sent by using a destination header as a Multicast > Group address, and source address of the machine to be attacked. A > random Option type is added to the destination Options header, which > has the highest order two bits as 10 (send ICMP Reply to the source). > > The above would cause ICMP packets to be sent to the source address > from all members of the multicast group to the source. This could very > eaily overwhelm the source AFAICS, I don't see how this attack would be very effective. Multicast forwarding algorithms check (for loop prevention) that a packet destined to a multicast address comes from a topologically RPF-wise correct direction. So unless you assume a router has been compromised (and all bets are off) basically you can only spoof an address inside the subnet where the attacker is, but I don't see this as a very useful attack myself because it'd be more effective to attack directly. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------