On Mon, 28 May 2007, Vishwas Manral wrote:
I am not sure if RPF can catch it all.
Its not the same as bombarding the source itself. With the attack I
mention, we can actually send one packet (which goes to all members of
the multicast group). This will cause all the members of the multicast
group to send a reply to one source.
So the amplification factor is the number of multicast members in a
group. For large groups this number may be huge. Do let me know what I
am missing?
Sure, there is an amplification factor, but AFAICS, if the attacker's
real source address if 2001:db8:1:2::F00/64, (s)he can only (for
practical purposes) target an address under 2001:db8:1:2::/64. I don't
see how this attack is more effective than just sending packets to
that on-link address yourself at a higher rate and potentially spoofed
source addresses.
So, the only thing (IMHO) worth considering is the increase in PPS
along the return path from the receivers to the target (the ICMP
amplification responses). Yet given that generating these errors is
rate-limited, so you'd need a huge number of receivers in order to
cause even a 10000pps increase; most networks are not worried about
attacks of that caliber as O(100Kpps) and O(1Mpps) attacks are already
commonplace with existing methods.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------