Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] whois.nse

From: doug () hcsw org
Date: Mon, 11 Aug 2008 13:47:42 -0700
On Wed, Aug 06, 2008 at 06:54:47AM +0000 or thereabouts, Brandon Enright wrote:

Regarding the IPv6 /32 cache,  you should probably cache at /48 as  
that is the size being assinged to organizations.  /32s are going to  
RiRs -- and being chopped into 65536 /48s.  Seems like a more logical  
cache boundary to me.


In IPv4 one way to increase the cost of performing a DDoS attack on
a webserver is of course to limit the number of connections possible
from one IP to some low number like 2 (default number a browser will
open to a vhost) or 4 (two browsers behind NAT). But with IPv6 anyone
who can fill out a web form can get more IPv6 addresses then there
are IPv4 addrs!

So what is the best practise for doing this with IPv6? Limiting
by /48s sounds good but I worry about whole organisations being
subject to limits rather than just individual nodes--the NAT
problem all over again.

Doug

Attachment: signature.asc
Description: Digital signature


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: