[137280] in North American Network Operators' Group
Re: Failure modes: NAT vs SPI
daemon@ATHENA.MIT.EDU (Owen DeLong)
Thu Feb 10 15:54:00 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <201102101053.59300.lowen@pari.edu>
Date: Thu, 10 Feb 2011 12:52:08 -0800
To: Lamar Owen <lowen@pari.edu>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 10, 2011, at 7:53 AM, Lamar Owen wrote:
> On Monday, February 07, 2011 04:33:23 am Owen DeLong wrote:
>> 1. Scanning even an entire /64 at 1,000 pps will take =
18,446,744,073,709,551 seconds
>> which is 213,503,982,334 days or 584,542,000 years.
>>=20
>> I would posit that since most networks cannot absorb a 1,000 pps =
attack even without
>> the deleterious effect of incomplete ND on the router, no =
network has yet had even
>> a complete /64 scanned. IPv6 simply hasn't been around that =
long.
>=20
> Sounds like a job for a 600 million node botnet. You don't think this =
hasn't already crossed botnet ops minds?
The point is that you DOS the network on traffic before you can usefully =
scan it.
A 600 million node botnet scanning a /64 on a gigabit ethernet can still =
only successfully
inject ~1,000,000 PPS or less. Even if we assum 1,000,000 pps success =
rate, you've
only reduced the scan time to 584,542 years.
Even if you're somehow able to get 600 million nodes to successfully =
inject
1,000,000,000 packets per second (an unachievable number in any
present day technology) you still need 584 years to scan a single /64 =
subnet.
Owen
