Thursday, May 10, 2018

ScreenOS, Multicasting, and IP Spoof Detection

Alright, so I'm working with a Juniper ScreenOS Device on the latest revision one of the 550M's and I've run into an issue with alerts being generated by multi-cast traffic. I'd like to start off by saying that while I've read a little bit on multi-casting, my actual understanding of all the elements involved isn't as up to snuff as I'd like, in fact it's embarrassingly little compared to probably where it should be at

There's a service running in one of the zones, let's call it test zone a, with let's assume an interface of 192.0.2.1/25 behind this is a couple of machines running Ganglia in it's default configuration which apparently makes use of multi-casting in order to monitor the devices within.

Ganglia fires off to a consistent address on a consistent port, easy enough right, but the address is out in the multicasting IPv4 range (239.2.11.71) . Screen OS throws an unholy bitchfit about this with an alert like this about every second:

IP spoofing! From 192.0.2.25:32818 to 239.2.11.71:8649, proto UDP (zone Test-Zone-A, int ethernet0/0). Occurred 4 times. 

Which is wonderful and all except I have these alerts dumping to an inbox for monitoring and now I basically have an inbox filled with false positives. Now everything I've read from the ScreenOS community is basically that ScreenOS is too old and dumb to figure this out turn off IP Spoofing on that zone; however, given that ScreenOS very clearly has multicasting routers and rulesets I choose to believe that this option couldn't possibly be the case. I figure I just need to know what multicasting elements I need to setup to tell it that this traffic is expected and allowed.

So is it just as simple as establishing an M-Cast on an intrazone policy with the MGroup address being the one I'm seeing over and over again or are there more complications. I started trying to dig into IGMP / PIM / etc. but got a little lost along the way.

So I guess my questions are.

1.) Is this even possible with ScreenOS can it be taught that multicasting is not IP Spoofing thus eliminating the alert? I'd like to if at all possible leaving the IP Spoofing intact, but properly account for the multicast traffic

2.) Does anyone know a a good resource on Multicasting and if ScreenOS can deal with this traffic properly, a resource on it and multicasting?



No comments:

Post a Comment