Re: Using IPv6 with prefixes shorter than a /64 on a LAN

[Matthew Petach <mpetach () netflight com>]

On Tue, Jan 25, 2011 at 10:26 PM, Fernando Gont <fernando () gont com ar> wrote:
> On 24/01/2011 07:41 p.m., Michael Loftis wrote:
>
> > > Many cite concerns of potential DoS attacks by doing sweeps of IPv6
> > > networks.  I don't think this will be a common or wide-spread problem.
> > >  The general feeling is that there is simply too much address space
> > > for it to be done in any reasonable amount of time, and there is
> > > almost nothing to be gained from it.
> >
> > The problem I see is the opening of a new, simple, DoS/DDoS scenario.
> > By repetitively sweeping a targets /64 you can cause EVERYTHING in
> > that /64 to stop working by overflowing the ND/ND cache, depending on
> > the specific ND cache implementation and how big it is/etc.
>
> That depends on the ND implementation being broken enough by not
> limiting the number of neighbor cache entries that are in the INCOMPLETE
> state. (I'm not saying those broken implementations don't exist, though).

Even without completely overflowing the ND cache, informal lab testing
shows that a single laptop on a well-connected network link can send
sufficient packets at a very-large-scale backbone router's connected /64
subnet to keep the router CPU at 90%, sustained, for as long as you'd
like.  So, while it's not a direct denial of service (the network keeps
functioning, albeit under considerable pain), it's enough to impact the
ability of the network to react to other dynamic loads.  :/

Matt