Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

DVMRP can be used to trigger an amplification attack against a third party

0

0

Article ID: KB29553 KB Last Updated: 06 Oct 2014Version: 1.0
Summary:
Junos OS supports the Distance Vector Multicast Routing Protocol (DVMRP) specified in draft-ietf-idmr-dvmrp-v3-11.  A security researcher has found that this protocol can be used to trigger an amplification attack against a third party. Any protocol open to the Internet that can be sent a few bytes and respond with many bytes can constitute an amplification.  This can then be weaponized by sending a small message repeatedly to many Junos devices with a single spoofed source IP address, resulting in a flood of responses sent back to the spoofed IP address which can overload the victim resulting in a denial of service.
Symptoms:
When a Junos router with multicast enabled receives IGMP packets with protocol DVMRP (IGMP_PROTO_DVMRP) to the IGMP port is 0x5 (DVMRP_ASK_NEIGHBORS2) IGMP builds a neighbor list and responds back to the source IP address of the sender.  This source IP address can be a unicast address or a multicast address. There is no throttling of responses.  The requests are answered at the highest rate possible.  Secondary impacts are that the routing protocol daemon (rpd) IGMP utilization goes very high and the host path and interface network control queues can get congested.


Cause:

Solution:
Response to DVMRP ask-neighbor2 message will not be processed and error message is displayed via igmp traceoption. There is no change in DVMRP packet processing which can affect the protocol functionality.

The following software releases have been updated to resolve this specific issue: Junos OS 14.1R3, 14.2R1, 12.1X47, and all subsequent releases.

Workaround
Standard security best current practices (BCPs) should limit the ability to use Junos as an accessory in a distributed denial of service attack.

Add the following filter to the loopback interface which accepts only IGMP traffic with multicast address 224/4 and has link local scope. This does not prevent to transit IGMP packets. To apply this also in transit direction the same filter would needs to get added under the forwarding option stanza. However then every packets needs to process this filter which is not needed as long as the processing is eliminated.
    filter igmp {
term igmp_accept {
/* only accept mcast address with link-local scope */
from {
destination-address {
224.0.0.0/4;
}
protocol igmp;
}
then accept;
}
term igmp_drop {
/* drop all igmp protocol traffic which does not have 224.0.0.0/4 destination address */
from {
protocol igmp;
}
then {
discard;
}
}

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search