The current multicast paradigm can let any host join any multicast group at any time by sending an IGMP or MLD membership report to the DR. In a Protocol Independent Multicast (PIM) Sparse Mode network, the DR will send a PIM Join message for the group to the RP. Without any form of admission control, this can pose a security risk to the entire multicast domain - specifically the multicast routers along the shared tree from the DR to the RP that must maintain the mroute state information for each group join request. Hence, it is imperative that the DR is configured to limit the number of mroute state information that must be maintained to mitigate the risk of IGMP or MLD flooding.
Review the DR configuration to verify that it is limiting the number of mroute states via IGMP or MLD. If the DR is not limiting multicast join requests via IGMP or MLD, this is a finding. Note: If both global and per-interface state limiters are configured, the limits configured for per-interface state limiters are still enforced but are constrained by the global limit.
Configure the DR on a global or interface basis to limit the number of mroute states resulting from IGMP or MLD membership reports.