Information
Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that register messages are accepted only for authorized multicast groups and sources.
Satisfies: SRG-NET-000019-RTR-000013, SRG-NET-000019-RTR-000014
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Configure the RP router to filter PIM register and join messages received from a multicast DR for any undesirable multicast groups or sources.
Step 1: Configure an ACL to filter the multicast groups.
LEAF-1A(config)#ip access-list standard ALLOWED_MULTICAST_GROUP
LEAF-1A(config-std-acl-ALLOWED_MULTICAST_GROUP)#10 permit 224.0.0.0/8
LEAF-1A(config-std-acl-ALLOWED_MULTICAST_GROUP)#20 deny any
Step 2: Apply the ACL in the PIM process globally.
LEAF-1A(config)#router pim sparse-mode
LEAF-1A(config-router-pim-sparse)#ipv4
LEAF-1A(config-router-pim-sparse-ipv4)#rp address 100.2.1.6 access-list ALLOWED_MULTICAST_GROUP