Re: ipv6 DOS attacks via routing loops

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/12/07, Wolfgang S. Rupprecht
<wolfgang.rupprecht+gnus200705@xxxxxxxxx> wrote:

With the recent flurry of activity around IPv6 and the routing
headers, I think its important to point out that explicit source
routing isn't the only way some attacker could amplify their DOS
attack. A very common problem with IPv6 is that folks forget to set a
reject route to absorb their unused networks. Without someting in the
ipv6 routing table to tell the gateway machine that these addresses
are "mine" but unused, the packets will get sent back up the default
route to the upstream gateway. That gateway will notice that the
packet is meant for your net and will send it right back. Some
attacker that notices this misconfiguration can then proceed to send
packets with a very long TTL and proceed to have the packet bounce up
and down the link approximately 250 times. The fix is to set up a
reject route for your assigned /48 (or whatever your upstream gives
you).

My notes from just setting up an ipv6 tunnel under FC6 (fedora):

        http://www.wsrcc.com/wolfgang/fedora/ipv6-tunnel.html

Comments/corrections welcome.

-wolfgang
--
Wolfgang S. Rupprecht                http://www.wsrcc.com/wolfgang/

Interesting FUD. Most of us common folks don't have IPV6 enabled. By
the time IPV6 truly becomes common the vulnerabilities that you
reference with be replaced with new ones.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux