IGMP Flood A study of DoS attacks using IGMP - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

IGMP Flood A study of DoS attacks using IGMP

Description:

DoS: IGMP Blasting. attack against router. send many IGMP reports to router ... Blasting the router with IGMP reports: Case study: the blaster attack ... – PowerPoint PPT presentation

Number of Views:495
Avg rating:3.0/5.0
Slides: 18
Provided by: NMSL5
Category:

less

Transcript and Presenter's Notes

Title: IGMP Flood A study of DoS attacks using IGMP


1
IGMP FloodA study of DoS attacks using IGMP
  • Josep M. Blanquer and Robert C. Chalmers
  • CS290I Computer Security

2
Introduction
  • mcast protocols are intended to be open
  • security is hard to attain
  • study DoS attacks using IGMP
  • against routers and switches
  • against the network
  • introduce two novel exploits

3
Overview multicast
  • one-to-many or many-to-many delivery
  • a source sends a single packet to a multicast
    group address
  • replication occurs when paths to receivers
    diverge
  • routing is performed using a tree
  • trees are built in reverse from receiver to source

4
Overview IGMP
  • Internet Group Management Protocol
  • between end-host and gateway
  • single packet format
  • 2 message types
  • Membership Query
  • Membership Report

0 1 2
3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7
8 9 0 1 2 3 4 5 6 7 8 9 0 1 -----------
--------------------- Versi
on Type Unused Checksum
--------------------
------------
Group Address
------------------------
--------
5
Overview IGMP
  • router queries periodically (every 60s.)
  • mcast query to all-hosts group, 224.0.0.1
  • maintains list of active groups
  • entries time-out if hosts do not respond
  • hosts send memberships reports
  • use response suppression
  • v2 improvements
  • explicit leave msg - reduces leave latency
  • group-specifc query reduces bandwidth

6
Overview IGMP weaknesses
  • backward compatibility
  • v1 hosts can still report to v2 router
  • v2 router cannot use optimized leave
  • exploit can impersonate v1 host
  • no message authentication
  • exposed to DoS attacks
  • hijacking impossible

7
DoS IGMP Blasting
  • attack against router
  • send many IGMP reports to router
  • causes router to keep state for each group
  • effects
  • memory overflow
  • cpu overload dropped packets
  • replace valid group entries
  • tool
  • ./blaster -t target -s source -r -f
    ipfile -l

8
DoS IGMP flooding
  • attack against network
  • join high-bandwidth groups
  • flood local network and upstream links
  • tool flooder
  • listen to session announcements (SAP/SDP)
  • parse session descriptions
  • create a list of active groups
  • use blaster to send IGMP reports

9
DoS IGMP storm
  • attacker sniffs IGMP reports
  • duplicates message with v1 report
  • issues a v2 leave
  • router must issue a generic request
  • host for each group responds with report
  • pattern repeats - storm away

10
DoS local vs. remote attacks
TCPdumps of our IGMP packets
  • Multicasted IGMP report
  • 142515.208912 127.0.0.1 gt 224.10.10.10 igmp v2
    report 224.10.10.10 ttl 1
  • Unicasted IGMP report
  • 142235.900450 127.0.0.1 gt 130.206.42.1 igmp v2
    report 224.10.10.10 ttl 255
  • Cisco-2500 dropped multicasted IGMP reports
  • DVMRP router accepted them
  • Other encapsulation techniques (GRE) may also
    work for remote attacks

11
Case studies
Network test-bed architecture
12
Case Study The blaster attack
Blasting the router with IGMP reports
porthosshow ip igmp groups show ip igmp
groups IGMP Connected Group Membership Group
Address Interface Uptime Expires
Last Reporter 224.0.7.231 Ethernet1
000006 000253 127.0.0.1 224.0.7.230
Ethernet1 000006 000253
127.0.0.1 224.0.7.229 Ethernet1
000006 000253 127.0.0.1 224.0.7.228
Ethernet1 000006 000253
127.0.0.1 224.0.7.227 Ethernet1
000006 000253 127.0.0.1 224.0.7.226
Ethernet1 000006 000253
127.0.0.1 224.0.7.225 Ethernet1
000006 000253 127.0.0.1 224.0.7.224
Ethernet1 000006 000253
127.0.0.1 224.0.7.239 Ethernet1
000006 000253 127.0.0.1 224.0.7.238
Ethernet1 000006 000253
127.0.0.1 224.0.7.237 Ethernet1
000006 000253 127.0.0.1 224.0.7.236
Ethernet1 000006 000253
127.0.0.1 224.0.7.235 Ethernet1
000006 000253 127.0.0.1 224.0.7.234
Ethernet1 000006 000253
127.0.0.1 224.0.7.233 Ethernet1
000006 000253 127.0.0.1 224.0.7.232
Ethernet1 000006 000253
127.0.0.1 224.0.7.247 Ethernet1
000006 000253 127.0.0.1 ...
13
Case study the blaster attack
porthosshow ip igmp interface show ip igmp
interface Ethernet1 is up, line protocol is up
Internet address is 130.206.42.1/24 IGMP is
enabled on interface Current IGMP version is 2
CGMP is disabled on interface IGMP query
interval is 60 seconds IGMP querier timeout is
120 seconds IGMP max query response time is 10
seconds Last member query response interval is
1000 ms Inbound IGMP access group is not set
IGMP activity 45014 joins, 44846 leaves
Multicast routing is enabled on interface
Multicast TTL threshold is 0 Multicast
designated router (DR) is 130.206.42.1 (this
system) IGMP querying router is 130.206.42.1
(this system) DVMRP/mrouted neighbors present
for 000140 version 0.0 flags 4
DVMRP neighbor up transitions since system
restart 0 DVMRP routes 0 poison-reverse
routes received in last 000034 1/0
Unicast/DVMRP routes last advertised by DVMRP
DVMRP output report delay is 100 ms, with burst
size of 2 Multicast groups joined (number of
users) 224.0.1.40(1)
Porthosshow ip igmp interface show ip igmp
interface Ethernet1 is up, line protocol is
up Internet address is 130.206.42.1/24 IGMP is
enabled on interface Current IGMP version is
2 CGMP is disabled on interface IGMP query
interval is 60 seconds IGMP querier timeout is
120 seconds IGMP max query response time is 10
seconds Last member query response interval is
1000 ms Inbound IGMP access group is not set IGMP
activity 53697 joins, 49671 leaves Multicast
routing is enabled on interface Multicast TTL
threshold is 0 Multicast designated router (DR)
is 130.206.42.1 (this system) IGMP querying
router is 130.206.42.1 (this system) Multicast
groups joined (number of users) 224.0.1.40(1)
14
Case study the blaster attack
Router responsiveness during the attack
bash-2.03 ping 130.206.42.1 PING 130.206.42.1
(130.206.42.1) 56 data bytes 64 bytes from
130.206.42.1 icmp_seq0 ttl255 time4.821 ms 64
bytes from 130.206.42.1 icmp_seq1 ttl255
time2.112 ms ATTACK STARTED
64 bytes from 130.206.42.1
icmp_seq5 ttl255 time495.271 ms 64 bytes from
130.206.42.1 icmp_seq14 ttl255 time811.379
ms 64 bytes from 130.206.42.1 icmp_seq31
ttl255 time70.116 ms ATTACK FINISHED
(1min after approx) 64 bytes from
130.206.42.1 icmp_seq71 ttl255 time357.833
ms 64 bytes from 130.206.42.1 icmp_seq72
ttl255 time879.432 ms 64 bytes from
130.206.42.1 icmp_seq73 ttl255 time373.992
ms 64 bytes from 130.206.42.1 icmp_seq74
ttl255 time875.194 ms 64 bytes from
130.206.42.1 icmp_seq75 ttl255 time278.895
ms 64 bytes from 130.206.42.1 icmp_seq76
ttl255 time886.221 ms 64 bytes from
130.206.42.1 icmp_seq77 ttl255 time291.104
ms 64 bytes from 130.206.42.1 icmp_seq78
ttl255 time789.140 ms 64 bytes from
130.206.42.1 icmp_seq79 ttl255 time192.995
ms 64 bytes from 130.206.42.1 icmp_seq80
ttl255 time690.611 ms 64 bytes from
130.206.42.1 icmp_seq81 ttl255 time94.292
ms 64 bytes from 130.206.42.1 icmp_seq82
ttl255 time684.014 ms 64 bytes from
130.206.42.1 icmp_seq83 ttl255 time90.948
ms 64 bytes from 130.206.42.1 icmp_seq84
ttl255 time589.512 ms
64 bytes from 130.206.42.1 icmp_seq85 ttl255
time1499.685 ms 64 bytes from 130.206.42.1
icmp_seq86 ttl255 time493.886 ms 64 bytes from
130.206.42.1 icmp_seq87 ttl255 time1515.392
ms 64 bytes from 130.206.42.1 icmp_seq88
ttl255 time509.306 ms 64 bytes from
130.206.42.1 icmp_seq89 ttl255 time1419.531
ms 64 bytes from 130.206.42.1 icmp_seq90
ttl255 time413.608 ms 64 bytes from
130.206.42.1 icmp_seq91 ttl255 time1318.687
ms 64 bytes from 130.206.42.1 icmp_seq92
ttl255 time313.913 ms 64 bytes from
130.206.42.1 icmp_seq93 ttl255 time1310.569
ms 64 bytes from 130.206.42.1 icmp_seq94
ttl255 time305.781 ms 64 bytes from
130.206.42.1 icmp_seq95 ttl255 time1212.492
ms 64 bytes from 130.206.42.1 icmp_seq96
ttl255 time207.298 ms 64 bytes from
130.206.42.1 icmp_seq97 ttl255 time1112.291
ms 64 bytes from 130.206.42.1 icmp_seq98
ttl255 time107.071 ms 64 bytes from
130.206.42.1 icmp_seq99 ttl255 time1100.854
ms 64 bytes from 130.206.42.1 icmp_seq100
ttl255 time95.638 ms ... --- 130.206.42.1 ping
statistics --- 132 packets transmitted, 66
packets received, 50 packet loss round-trip
min/avg/max/stddev 2.112/656.829/1636.573/475.76
8 ms
15
Case study the flooding attack
  • Flooder couldnt be fully exercised
  • 150 groups gathered in couple of minutes
  • Not all groups are active
  • Total expected bandwidth
  • Audio channels (10-40Kbps)
  • Audio/Video channels ( approx. 150Kbps)
  • Other types MPEG (1-2Mbps)

16
Case study the switch incident
Mcast MAC Mcast MAC Mcast MAC Mcast MAC Mcast
MAC Mcast MAC Mcast MAC
IGMP reports
IGMP leak
17
Conclusions
  • multicast protocols are open by design
  • IGMP allows any host to join any group at any
    time
  • poses security risks for mcast networks
  • DoS attacks are effective and difficult to
    protect against
Write a Comment
User Comments (0)
About PowerShow.com