Friday, October 24, 2008

Multicast as a recon. or attack vector?

Having been in the network architecture and security business for some time, I am quite surprised that more network recon. and attack tools have not given consideration to Multicast destinations. The backdrop is that more and more internal networks are video [multicast] enabled, academic Internet2 participants are often Multicast enabled in a Wide Area (WAN) sense.

Assuming minimally some internal network access, it would seem that a quick method of recon. would be to send traffic to a well known multicast app. address / port, and see what yields. At worst, you find a network that is not Multicast enabled and responses at layer 2 only.

More insideous would be the existance of backdoor command and control of botnets listening on Multicast addresses. One would only need access to a single internal network node in a large enterprise to send command and control to the remainder of the herd. Or worse still, if that botnet lived within the Internet2 wide area Multicast space, the command and control aspect could easily be just a trickle of Multicast and not noticed.

1 comment:

Jackson said...

can you elaborate more?