Matthew Sargent
Vern Paxson
Abstract
In this paper we investigate the vulnerability of the Internet Group Management Protocol (IGMP) to be leveraged for denial-of-service (DoS) attacks. IGMP is a connectionless protocol and therefore susceptible to attackers spoofing a third-party victim's source address in an effort to coax responders to send their replies to the victim. We find 305K IGMP responders that will indeed answer queries from arbitrary Internet hosts. Further, the responses are often larger than the requests, hence amplifying the attacker's own expenditure of bandwidth. We conclude that attackers can coordinate IGMP responders to mount sizeable DoS attacks.
- Cisco IOS Software Product Lifecycle Dates & Milestones. http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-software-releases-12-2-mainline/prod\_bulletin0900aecd801eda8a.html.Google Scholar
- DVMRP Can Be Used to Trigger an Amplification Attack Against a Third Party. https://kb.juniper.net/InfoCenter/index?page=content&id=KB29553.Google Scholar
- Open Resolver Project. http://openresolverproject.org/.Google Scholar
- A. Aina, J. Akkerhuis, K. Claffy, S. Crocker, D. Karrenberg, J. Ihrn, R. Joffe, M. Kosters, A. Mankin, R. Mohan, et al. SSAC Advisory SAC008 DNS Distributed Denial of Service (DDoS) Attacks, 2006.Google Scholar
- B. Cain, S. Deering, I. Kouvelas, B. Fenner, and A. Thyagarajan. Internet Group Management Protocol, Version 3, Oct. 2002. RFC 3376. Google ScholarDigital Library
- S. Deering. Host Extensions for IP Multicasting, Aug. 1989. RFC 1112. Google ScholarDigital Library
- Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-wide Scanning and Its Security Applications. In USENIX Security, pages 605-620. Citeseer, 2013. Google ScholarDigital Library
- W. Fenner. Internet Group Management Protocol, Version 2, Nov. 1997. RFC 2236. Google ScholarDigital Library
- G. Huston. The 32-bit AS Number Report, Apr. 2016. http://www.potaroo.net/tools/asn32/.Google Scholar
- V. Jacobson, C. Leres, and S. McCanne. The tcpdump Manual Page. Lawrence Berkeley Laboratory, 1989.Google Scholar
- J. Kristoff. DVMRP Ask Neighbors2: an IGMP-based DDoS/Leak Threat, Oct. 2014. https://www.cymru.com/jtk/talks/nanog62-an2.pdf.Google Scholar
- A. Kuzmanovic and E. Knightly. Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants). In ACM SIGCOMM, Aug. 2003. Google ScholarDigital Library
- P. Mérindol, B. Donnet, J.-J. Pansiot, M. Luckie, and Y. Hyun. MERLIN: MEasure the Router Level of the INternet. In Next Generation Internet (NGI), 2011 7th EURO-NGI Conference on, pages 1-8. IEEE, 2011.Google ScholarCross Ref
- P. Mérindol, V. Van den Schrieck, B. Donnet, O. Bonaventure, and J.-J. Pansiot. Quantifying ASes Multiconnectivity Using Multicast Information. In ACM SIGCOMM Internet Measurement Conference, 2009. Google ScholarDigital Library
- T. Pusateri. Distance Vector Multicast Routing Protocol, Oct. 2003. Internet-Draft draft-ietf-idmr-dvmrp-v3-11.txt (work in progress).Google Scholar
- R. Rasti, M. Murthy, N. Weaver, and V. Paxson. Temporal lensing and its application in pulsing denial-of-service attacks. In IEEE Symposium on Security and Privacy, 2015. Google ScholarDigital Library
- C. Rossow. Amplification Hell: Revisiting Network Protocols for DDoS Abuse. In Symposium on Network and Distributed System Security (NDSS), 2014.Google Scholar
- P. Schmehl. The Microsoft UPnP (Universal Plug and Play) Vulnerability. http://bandwidthco.com/sf_whitepapers/windows/The\%20Microsoft\%20UPnP\%20(Universal\%20Plug\%20and\%20Play)\%20Vulnerability.pdf, 2002.Google Scholar
- K. Schomp, T. Callahan, M. Rabinovich, and M. Allman. On Measuring the Client-Side DNS Infrastructure. In ACM Internet Measurement Conference, Oct. 2013. Google ScholarDigital Library
- SpamHaus. The Policy Block List. https://www.spamhaus.org/pbl/.Google Scholar
- C. Systems. Cisco Event Response: Network Time Protocol Amplification Distributed Denial of Service Attacks. http://www.cisco.com/web/about/security/intelligence/ERP-NTP-DDoS.html, Feb. 2014.Google Scholar
- P. Technologies. An Analysis of DrDos SNMP/NTP/CHARGEN Reflection Attacks: Part II of the DrDos White Paper Series. http://www.prolexic.com/kcresources/white-paper/white-paper-snmp-ntp-chargen-reflection-attacks-drdos/An_Analysis_of_DrDoS_SNMP-NTP-CHARGEN_Reflection_Attacks_White_Paper_A4_042913.pdf, 2013.Google Scholar
- D. Waitzman, C. Partridge, and S. Deering. Distance Vector Multicast Routing Protocol, Nov. 1988. RFC 1075. Google ScholarDigital Library
- Zmap. https://zmap.io/.Google Scholar
Index Terms
- On the Potential Abuse of IGMP
Recommendations
Denial-of-service attacks and countermeasures on BitTorrent
BitTorrent has been widely used for the efficient distribution of files, such as digital content and media files, to very large numbers of users. However, previous work has exposed vulnerabilities in the protocol and demonstrated that they can be ...
Multicast receiver access control by IGMP-AC
IP multicast is best-known for its bandwidth conservation and lower resource utilization. The present service model of multicast makes it difficult to restrict access to authorized End Users (EUs) or paying customers. Without an effective receiver ...
Catabolism attack and Anabolism defense
Security is a major challenge in Opportunistic Networks (OppNets) because of its characteristics, such as open medium, dynamic topology, no centralized management and absent clear lines of defense. A packet dropping attack is one of the major security ...
Comments