Bugtraq mailing list archives
Re: IGMP denial of service vulnerability
From: "Arun D. Qamra" <arun () cs ucsb edu>
Date: Fri, 14 Jun 2002 15:20:49 -0700 (PDT)
Thats an interesting scenario. We did test the same, and DOS doesnt take place, atleast in our test setup. In our setup, the router (a Cisco 2514 running IOS ver12.0 in our case) does process such a report in the scenario you suggested. However we agree that the code should be tightened, in all systems. On 14 Jun 2002, Marty Schoch wrote:
Solution --------- All IGMP packets that are not multicast ethernet addresses should be dropped.
Depending on the implementation of router R in linked document, couldn't there still be a problem in the following scenario. Host H1 is a member of two groups 230.0.0.1 and 230.0.0.2 Host H2 sends a membership report for group 230.0.0.1 to group 230.0.0.2. Host H1 will obviously see this report as well. Looking briefly at the code it appears host H1 may still consider this an acceptable report from another host. If, and I haven't tested any router configurations, router R does not consider this a valid report for the group 230.0.0.1 then the same DOS effect may occur. The RFC says that membership reports should be sent to the group for which the report applies. Why not tighten the code down all the way, to check not just that the report is multicast, but that all the addresses match. Marty Schoch <mschoch () multicasttech com>
Current thread:
- IGMP denial of service vulnerability Krishna N. Ramachandran (Jun 14)
- Re: IGMP denial of service vulnerability Marty Schoch (Jun 14)
- Re: IGMP denial of service vulnerability Arun D. Qamra (Jun 14)
- IE 5.-6 CSS parsing error Dmitry Leonov (Jun 15)
- Re: IE 5.-6 CSS parsing error patpro (Jun 15)
- Re: IGMP denial of service vulnerability Arun D. Qamra (Jun 14)
- Re: IGMP denial of service vulnerability Marty Schoch (Jun 14)
- <Possible follow-ups>
- RE: IGMP denial of service vulnerability Nick Roffey (Jun 15)
- Re: IGMP denial of service vulnerability Marty Schoch (Jun 15)