The present invention relates generally to communication networks, and more specifically, to filtering traffic from unauthorized sources in a multicast network.
Traditional Internet Protocol (IP) communication allows a host to send packets to a single host (unicast transmission) or to all hosts (broadcast transmission). To support a demand to provide applications such as audio and video conference calls, audio broadcasting, and video broadcasting that involve high data rate transmission to multiple hosts, a third routing technique has evolved, multicast routing. In multicast routing, a host sends packets to a subset of all hosts as a group transmission. Multicast routing protocols have been developed to conserve bandwidth by minimizing duplication of packets. To achieve maximum efficiency delivery of data, rather than being replicated at the source, multicast packets are replicated in a network at the point where paths to multiple receivers diverge.
In large part, multicast routing protocols rely on the same underlying Internet infrastructure that supports unicast routing. One key difference is that whereas unicast routing is generally based on a destination IP address of the packet, multicast routing protocols typically make forwarding decisions based on a group address that identifies a group of intended recipients and possibly also on an address of the packet source.
A multicast group is an arbitrary group of receivers that expresses an interest in receiving a particular datastream. Such a group has no physical or geographical boundaries. Hosts that are interested in receiving data flowing to a particular group join the group using Internet Group Management Protocol (IGMP). An IP multicast address, or a portion thereof, specifies a particular group.
Multicast-capable routers create distribution trees that control the path that IP multicast traffic takes through the network in order to deliver traffic to all receivers. The two basic types of multicast distribution trees are source trees and shared trees.
In a source tree, the multicast traffic source is the root and the branches form a spanning tree through the network to the receivers. This is also referred to as a shortest path tree (SPT) because the tree typically uses the shortest paths between the source and receiver through the network. A particular SPT is denoted by a (S,G) address where S is the IP address of the source and G is the group address of the group of recipients.
Unlike source trees that have their root at the source, shared trees use a single common root placed at some chosen point in the network. This shared root is called a Rendezvous Point (RP). Because all sources of traffic directed to a particular multicast group use a common shared tree, shared trees are identified by addresses written in (*,G) form. In this wildcard notation, * denotes all sources, and G represents the multicast group.
In multicast networks, any host can start forwarding multicast data traffic into the network. The multicast network may therefore be used to generate a multicast DoS (Denial of Service) attack, in which an attacker makes a system unresponsive by forcing it to handle sham requests that consume all available resources. A compromised or unauthorized host can transmit multicast data traffic containing spurious data to a multicast group address and port number to which there may be one or more legitimate sources forwarding multicast data traffic. If the multicast traffic that is being sent is high bandwidth traffic, it may significantly degrade the performance of the network and also the performance of the hosts that are interested in receiving traffic for that particular multicast group.
Conventional methods for preventing unauthorized hosts from forwarding multicast data traffic include the configuration of filters in the form of access control lists or route-maps on the routers or rendezvous point (RP) lists on the rendezvous points. However, if filter lists are used, the lists must be configured on all multicast enabled routers that have directly connected hosts to block a particular host or a set of hosts from forwarding multicast data traffic on a per interface basis. For example, in a network configured for PIM (Protocol Independent Multicast) dense mode with one fixed known source and a thousand receivers, there is no easy solution to block the thousand receivers from each becoming a multicast source without configuring filters on each router's interface on which there is one or more directly connected hosts. If RP lists are used, a portion of the network is still affected as the unwanted traffic travels all the way to the RP and then gets filtered at the RP.