A Dynamic Stateful Multicast Firewall

Enterprises are faced with the challenge of enabling IP multicast applications without exposing their network to multicast denial-of-service attacks. Current practice is to use firewalls and manually configure them on a per-multicast-session basis. This imposes a high work-load on the network administrator, and severely reduces flexibility for end-users. In this paper, we propose and demonstrate a simple yet powerful multicast firewall algorithm that can, under most conditions, automatically distinguish unsolicited multicast packets and drop them to protect the network from denial-of-service attacks. Inspired by the "stateful" operation of unicast firewalls, our multicast firewall blocks unsolicited multicast packets by maintaining state information on multicast group membership and unicast interactions. We prototype our algorithm as a plug-in to Linux NetFilter, and present performance and scalability results from testing on a high-quality multicast video platform coupled with synthetic traffic from a network tester. Based on the prototype, we believe that it is feasible to build multicast firewalls that can, without manual intervention, and with minimal performance impact, protect the network against multicast attacks.