[129351] in North American Network Operators' Group
Re: just seen my first IPv6 network abuse scan, is this the start
daemon@ATHENA.MIT.EDU (Matthias Flittner)
Fri Sep 3 09:07:57 2010
Date: Fri, 03 Sep 2010 15:07:40 +0200
From: Matthias Flittner <matthias.flittner@de-cix.net>
To: nanog@nanog.org
In-Reply-To: <AANLkTikLa+15SQwz9eEnU1iaUbyHMgMccJDtuCNVHkx8@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig0E5FEC782B3A08582E8D3794
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
> However this scan was from a external host. The only traffic I saw on
> the subnet was normal/valid NA lookups from the router towards an
> increasing IPv6-address (starting with ::1, then ::2 etc). On the
> router side I clearly saw the icmp traffic from the source doing a
> scan on these destination hosts.=20
typically this fill the NC with faked entries and exhaust the node's
cache resources. "This interrupts the normal functions of the targeted
IPv6 node."
In other words: The attacker sends a lot of ICMPv6 echo requests to your
/64 subnet. Your router has to resolve this addresses internaly (each NA
is stored in NC of the router). The node's cace resources are exhausted
and no "normal" NA could be stored. I think that was your problem.
Unfortunately is there no standardized way to mitigate this attacks, yet.=
However there are many approaches which could help or could be discussed.=
(like http://www.freepatentsonline.com/20070130427.pdf or other)
best regards,
-F
--------------enig0E5FEC782B3A08582E8D3794
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJMgPMcAAoJEIZn8Rym6s4Av38IAIVrb4tWIUQ73zcrAFuGN8JD
N4i+AoWhy1ioky1y/W/UzAXG9+QIIC4F6filx1xnpm5vEIkmvq9A2lpIElJmuvmc
9J/NLluPkzl13Dc2sZb3g8GORpJHCfpNI3wwvV+PyA7yVEzx4fPowmz81hxfHQax
GCE99jvIZKFot2JeMto7gVBANFLFldXCyhGJxFAWysLBZG+4inz+RYiCmwsX7JkY
kdk2NLFoojN58qxeqq0CdvALvhSoxs4rlU/9pIGbdNmsbLHpFedyBVTyL+Ms4DeS
zaBDvsnoKPpbpQgA8nNC6V2rBiF6DMDf0vL4pX9HTV2HJ/U7Nd7BfIMGFYxiPVs=
=gKo7
-----END PGP SIGNATURE-----
--------------enig0E5FEC782B3A08582E8D3794--
