IGMP denial of service vulnerability

["Krishna N. Ramachandran" <krishna () cs ucsb edu>]

Topic : IGMP denial of service vulnerability
Date : June 14, 2002
Credit : {krishna, arun, mohit}@cs.ucsb.edu
Site : http://www.cs.ucsb.edu/~krishna/igmp_dos/

************************************************************************

Description
------------

The IGMP report suppression mechanism can be exploited for launching
an insider denial of service attack against a host connected to a
Multicast group. 

Instead of sending a IGMP membership report to the Multicast group
ethernet address as is the norm, an attacker sends the report addressed to
the victim's ethernet address. The victim host on seeing the IGMP report
suppresses its own IGMP report as per the IGMP standard. The querier
router  then never gets an IGMP report effectively cutting off traffic
from that group. 

Systems Affected
-----------------

Tested to be vulnerable on Microsoft Windows XP, Microsoft Windows 98,
Linux 2.4.18.  We believe that all other versions of these operating
systems are also vulnerable.  
IGMP version 2 was used for testing the vulnerability. 
Implementations of all IGMP versions are believed to be vulnerable as IGMP
report suppression is used in all versions of the IGMP protocol.

Solution
---------
All IGMP packets that are not multicast ethernet addresses should be 
dropped.

Fix for Linux 2.4.18 is available at 
http://www.cs.ucsb.edu/~krishna/igmp_dos/

************************************************************************

-Krishna