Date: Fri, 8 Jan 1999 12:24:34 -0500 From: Donald McLachlan <don@MARS.DGRC.CRC.CA> Subject: Summary: security and multicast To: BUGTRAQ@NETSPACE.ORG First of all thanks for all the replies. In case people would rather not have their email addresses published I will not list them here. The purpose of the question (echoed by some responders) is the lack of documented multicast probes/attacks/vulnerabilties. Seeing as the underpinnings are udp datagrams it was assumed most udp attacks were possible. [ I've not had a chance to verify any of the following claims so don't take them as gospel ... ] The assumed udp vulnerabilites were supported by responders who claimed multicast is susceptible to the usual ICMP/UDP/IP attacks (e.g. smurf, pepsi, and teardrop) and the associated D.O.S. due to overloaded hosts/links. One report said NIS and YP would happily send requests to multicast addresses, but has not seen these sorts of probes. One reported mrouted tunnels as convenient holes in firewalls. I've been pointed to an IEEE Security & Privacy 97 paper (by TIS?) about multicast proxy security issues. I've not had time to search for it yet. There were 2 reports of multicast ports on routers being attacked. In the first instance no details were given, but as they don't use multicast they simply turned them off. In the second case a router was being flooded with PIM join/prunes for every group. Their solution was to shut down the mbgp peering. I was given a copy of a paper which was aimed at providing secure communications over multicast through authentication, key management and encryption. Interesting, but no attacks/probes/workarounds were listed. One individual reported the following ideas on possible exploits ... I would have checked if the poster would rather not have had the following posted but couldn't check as the message was sent to me via an anonymous remailer. so ... > One idea we've come up with, though it's theoretical only (so > far): > > 1) Build buffer overflow exploit for a popular multicast client > for Windows (perhaps CU-SeeMe) that can be triggered by values > in the multicast data or control stream. > > 2) In order to get the attention of clients, announce a free > "live sex" video feed best viewed by the client for which you > have the exploit. > > 3) Feed the exploit to each client that connects, and have your > way with their machine. > > > I've looked at other possible mechanisms involving running a > bogus mrouted or other IGMP peer to take over delivery of > existing streams, in order to inject exploit bits or provide > disinformation. However, I haven't considered the details of > splicing into the IGMP fabric without the help of peers > elsewhere -- that appears to be the most interesting part of the > problem at first blush. > > > I'm looking forward to your summary. If others are thinking > along similar lines, or are further along elsewhere, I may well > need to get my organization's security policy adjusted to > restrict multicast sooner rather than later. A collegue offered to dig up a paper. If it is relevent and not proprietary I'll post it as a follow up. Once again, thanks for the input, Don