DDoS and IPv6?
Shadow Hawkins on Sunday, 16 November 2008 18:15:55
Based on the current variety of DDoS attacks, would IPv6 have an impact on them? For example is there anything in the design that would make them, easier, harder or simply have no impact?
DDoS and IPv6?
Shadow Hawkins on Monday, 17 November 2008 00:10:21
In regard to DDoS attacks I think there is little change.
But in regard to DoS attacks I think IPv6 might make it easier to exhaust resources. But on the other hand that sort of attack can usually be stopped with a good blackhole route.
DDoS and IPv6?
Jeroen Massar on Tuesday, 18 November 2008 14:29:53 that sort of attack can usually be stopped with a good blackhole route.
Which means that the (D)DoS is still taking out the rest of your infrastructure and that all the valid clients can't reach the host either, thus having denied the service (DoS = Denial of Service) for all the valid clients.
From a (D)DoS kiddie perspective, if you blackhole your own service to 'protect' it against (D)DoS it is a succesful denial of service too, as your service is not reachable for valid clients, and that is what they want to achieve.
As for the original question: it doesn't matter, if I send 100Gbit/s IPv4 or IPv6 they are in both cases going to fill up all your upstream connectivity and take you out.
There are a few workable solutions for this. Anycasting your service being one of the better options at the moment. Next to of course services who 'scrub' your connectivity, which is nearly impossible with a flash-mob kind of attack, slashdot-alike activity or 9/11 happening and taking CNN out because of the way too many requests.
DDoS and IPv6?
Shadow Hawkins on Tuesday, 18 November 2008 23:19:13
Well I was more thinking in doing this on the source. So if you start getting loads of random sessions from all over the 2001:0DB8:1234::/48 network you can blackhole that network and make it a bit harder for them to consume your resources.
If you go toe-to-toe the one with the most bandwidth usually wins. But in some scenarios just blackholing that network may stop them.
But I think the matter is much more complex then a simple thread here might do justice.
When it comes to resources like claiming sessions having the ability to generate traffic from a /64 network to a single host may result in resources being overwhelmed on the host end without causing too much trouble on the attackers side.
I think that is also where the most recent hype was pointing at.
But that is where a simple filter or blackhole route might save you.
Posting is only allowed when you are logged in. |