IGMP denial of service vulnerability

Topic : IGMP denial of service vulnerability
Date : June 14, 2002
Credit : {krishna, arun, mohit}@cs.ucsb.edu
Site : http://www.cs.ucsb.edu/~krishna/igmp_dos/

Description

The IGMP report suppression mechanism can be exploited for launching
an insider denial of service attack against a host connected to a
Multicast group.

Instead of sending a IGMP membership report to the Multicast group
ethernet address as is the norm, an attacker sends the report addressed to
the victim's ethernet address. The victim host on seeing the IGMP report
suppresses its own IGMP report as per the IGMP standard. The querier
router then never gets an IGMP report effectively cutting off traffic
from that group.

Systems Affected

Tested to be vulnerable on Microsoft Windows XP, Microsoft Windows 98,
Linux 2.4.18. We believe that all other versions of these operating
systems are also vulnerable.
IGMP version 2 was used for testing the vulnerability.
Implementations of all IGMP versions are believed to be vulnerable as IGMP
report suppression is used in all versions of the IGMP protocol.

Solution

All IGMP packets that are not multicast ethernet addresses should be
dropped.

Fix for Linux 2.4.18 is available at
http://www.cs.ucsb.edu/~krishna/igmp_dos/

-Krishna