V-253995

Discussion

Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that join messages are only accepted for authorized multicast groups.

Check Content

Verify that the RP router is configured to filter PIM register messages.
[edit policy-options]
policy-statement <name> {
    term filter_groups {
        from {
            route-filter <multicast address>/<mask> orlonger;
            route-filter <multicast address>/<mask> exact;
            <additional groups to filter>
        }
        then reject;
    }
    term filter_sources {
        from {
            source-address-filter <source host address>/32 exact;
            source-address-filter <source subnet address>/<mask> orlonger;
            <additional source addresses to filter>
        }
        then reject;
    }
    term accept_others {
        then accept;
    }
}
[edit protocols]
pim {
    mode sparse;
    import <policy name>;
}

Note: Alternative is to verify all designated routers are filtering IGMP Membership Report (a.k.a., join) messages received from hosts.

If the RP router peering with PIM-SM routers is not configured with a PIM import policy to block registration messages for any undesirable multicast groups and Bogon sources, this is a finding.