nanog mailing list archives

Re: just seen my first IPv6 network abuse scan, is this the start for more?

From: Matthias Flittner <matthias.flittner () de-cix net>
Date: Fri, 03 Sep 2010 15:07:40 +0200

However this scan was from a external host. The only traffic I saw on
the subnet was normal/valid NA lookups from the router towards an
increasing IPv6-address (starting with ::1, then ::2 etc). On the
router side I clearly saw the icmp traffic from the source doing a
scan on these destination hosts.

typically this fill the NC with faked entries and exhaust the node's
cache resources. "This interrupts the normal functions of the targeted
IPv6 node."

In other words: The attacker sends a lot of ICMPv6 echo requests to your
/64 subnet. Your router has to resolve this addresses internaly (each NA
is stored in NC of the router). The node's cace resources are exhausted
and no "normal" NA could be stored. I think that was your problem.

Unfortunately is there no standardized way to mitigate this attacks, yet.

However there are many approaches which could help or could be discussed.
(like http://www.freepatentsonline.com/20070130427.pdf or other)

best regards,
-F

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

Re: just seen my first IPv6 network abuse scan, is this the start for more?, (continued)
- - - Re: just seen my first IPv6 network abuse scan, is this the start for more? Owen DeLong (Sep 03)
    - RE: just seen my first IPv6 network abuse scan, is this the start for more? Deepak Jain (Sep 03)
    - Re: just seen my first IPv6 network abuse scan, is this the start for more? Leo Bicknell (Sep 03)
    - Re: just seen my first IPv6 network abuse scan, is this the start for more? Owen DeLong (Sep 03)
    - Re: just seen my first IPv6 network abuse scan, is this the start for more? Seth Mattinen (Sep 03)
    - Re: just seen my first IPv6 network abuse scan, is this the start for more? Dobbins, Roland (Sep 03)
- Re: just seen my first IPv6 network abuse scan, is this the start for more? Matthias Flittner (Sep 03)
  - Re: just seen my first IPv6 network abuse scan, is this the start for more? Dobbins, Roland (Sep 03)
  - Re: just seen my first IPv6 network abuse scan, is this the start for more? Igor Ybema (Sep 03)
    - Re: just seen my first IPv6 network abuse scan, is this the start for more? Dobbins, Roland (Sep 03)
    - Re: just seen my first IPv6 network abuse scan, is this the start for more? Matthias Flittner (Sep 03)
    - Re: just seen my first IPv6 network abuse scan, is this the start for more? William Allen Simpson (Sep 04)
    - Re: just seen my first IPv6 network abuse scan, is this the start for more? Joel Jaeggli (Sep 05)