nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))

From: William Herrin <bill () herrin us>
Date: Sun, 17 Jul 2011 11:42:27 -0400
On Mon, Jul 11, 2011 at 8:17 PM, Karl Auer <kauer () biplane com au> wrote:

RFC3756 IPv6 Neighbor Discovery (ND) Trust Models and Threats

  In this attack, the attacking node begins fabricating addresses with
  the subnet prefix and continuously sending packets to them.  The last
  hop router is obligated to resolve these addresses by sending
  neighbor solicitation packets.  A legitimate host attempting to enter
  the network may not be able to obtain Neighbor Discovery service from
  the last hop router as it will be already busy with sending other
  solicitations.


Hi Karl,

My off-the-cuff naive solution to this problem would be to discard the
oldest incomplete solicitation to fit the new one and, upon receiving
an apparently unsolicited response to a discarded solicitation,
restart the process flagging that particular query non-discardable.

That would be an implementation change, not a protocol change.

I would expect to occasionally lose a packet due to the discard while
the router was under attack with the accordingly minimal impact. I
would also expect to see a multicast flood on the LAN of about the
same data rate as the inbound attack packets.

Where does this naive approach break down?


On Fri, Jul 15, 2011 at 12:13 AM, Fernando Gont <fernando () gont com ar> wrote:

On 07/15/2011 12:24 AM, Jimmy Hess wrote:

A similarly hazardous situation exists with IPv4,  and it is basically
unheard of  for IPv4's Layer 2/ARP security weaknesses to be exploited
to create a DoS condition, even though they can be (very easily),


IMO, the situation is different, in that the typical IPv4 subnet size
eliminate some of the attack vectors.


Hi Fernando,

Not at a practical level. The reason it's unheard of for IPv4 is that
if you're a hacker with an ability to generate arbitrary packets on a
LAN, DOSing the adjacent router by overwhelming its ARP cache is one
of the least interesting things you can do... and one of the easiest
to get busted at.

It isn't necessary (or possible) to solve every conceivable *local*
DOS attack. And frankly remote saturation-bomb attacks are out of
bounds too. The concern Karl presented was that it was possible to
remotely disable an IPv6 LAN with tailored traffic much less than that
network's inbound capacity. Solve that issue with IPv6 ND and we're
done.

Regards,
Bill Herrin

-- 
William D. Herrin ................ herrin () dirtside com  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

_____
NANOG mailing list
NANOG () nanog org
https://mailman.nanog.org/mailman/listinfo/nanog
Previous By Date Next
Previous By Thread Next

Current thread: