Slashdot Mirror
IPv6 Flaw Could Greatly Amplify DDoS Attacks
tygerstripes writes "The Register has a story about the discovery of a flaw in part of the IPv6 specification which has experts scrambling to have the feature removed, or at least disabled by default. From the article: 'The specification, known as the Type 0 Routing Header (RH0), allows computers to tell IPv6 routers to send data by a specific route. Originally envisioned as a way to let mobile users to retain a single IP for their devices... RH0 support allows attackers to amplify denial-of-service attacks on IPv6 infrastructure by a factor of at least 80.' Paul Vixie, president of the Internet Systems Consortium, described the fault bluntly. 'It can be exploited by any greedy Estonian teenager with a $300 Linux machine.'"
n/t
was involved? If it weren't for those guys at sendmail, he'd be the number one source of Unix(tm) root exploits.
Please, if he were really that smart, he'd use an OLPC!
Clearly the problem here lies with Estonia, not IPv6.
That roughly translates to "It's so easy, an Estonian can do it".
Someone is gonna be buying them roast duck (with the mango salsa) soon.
You can hold down the "B" button for continuous firing.
Don't route stuff stupidly. Instead of banning RH0, make sure it doesn't do redundant routes.
Inventions have long since reached their limit, and I see no hope for further development.-- Frontinus, 1st cent. AD
Why does the teenager have to be Estonian?
Could he be Nigerian? Please? With spam?
Or ROC, maybe. (Russian Organized Crime, not Republic of China.)
It can be exploited by any greedy Estonian teenager with a $300 Linux machine.
While that seems like a pretty narrow demographic, he forgot to mention that they also have to have a tattoo of a monkey on their arm, wear an eye-patch, speak Danish with a stutter when eating pickled herring, listen to Zulu chants on a purple Zune all day long and snort with a whistle when they 'laugh'.
Leave it in, but advise people to disable it for network security.
That already works for other problems, right?
Open Source Drum Kit, LPLC deve board - mjhdesigns.com
Another fat racist computer nerd!
Where can I get one of these $300 Estonian Linux machines? To heck with Dellbuntu.
talking about bad line breaks
See? I told you linux was the best.
Why you say?
:)
Because IPv6 will never be implemented widely anyway.
Why will it not you say?
Because too many people are happy with the current IPv4 + NAT insanity that is in place now. Nevermind the fact that the insanely ridiculous kludge that is NAT and all of the insanely ridiculous mini-kludges (DynDNS, UDP Connection "Warming", etc.) that currently keep the internet glued together and working (sort of) like it is supposed to work probably cost as much or more time and energy that a multi-year dual-stack IPv4 to IPv6 transition would.
Ok, I'm done ranting.
Have a great weekend everyone!
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Show of hands... do YOU use IPv6?
How widespread is its use anyway?
--
Down with the government.
Up with the people.
http://www.metagovernment.org/
Hey! I'm a greedy Estonian teenager with a $300 Linux machine who has a tattoo of a monkey on my arm, wears an eye-patch, speaks Danish with a stutter when eating pickled herring, listens to Zulu chants on a purple Zune all day long and snorts without a whistle when I 'laugh', you insensitive clod!
As I understand it, it is not sufficient to simply ignoring the rthdr0 headers. To protect the infrastructure, the safest thing is for all implementations to immediately DROP any packets containing these headers to keep them from propagating further.
However, there are still people in the IETF who don't want to recognize the severity of their mistake. Why do we, as a community of implementors and consumers, continue to trust these guys as a protocol standards body? It is obvious that they don't understand how complexity is the enemy of security. They add features to protocols without any concrete examples of how the feature would be used, simply because they don't ever want to make a decision. Rather than saying "No, this feature is not worth the extra complexity, we are not going to include it", it is always "OK, we will allow this as an optional mode of operation".
In this case, this was done in a particularly egregious fashion, considering the security issues with source routing have been known since at least '93 or so (in IPv4).
IPv6 is dangerous enough as it is .With over one million (or was it trillion) possible addresses
for every freaking inch of the world , spammers and hackers could hide forever.The bed guys could never be
found , never mind what they feel like doing. it's a disaster waiting to happen.What we need is a IPv5.
IIRC, the main reason the transitional scheme was dropped was because routers would need to track more states. Like they're not going to be tracking gigantic numbers of states in order to have a workable authenticated source-routing system.
However, there is one good thing about this. People might finally realize IPv6 is NOT an addressing scheme, it is a very powerful protocol. (Would you believe I had to correct a senior network engineer on that yesterday?)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
http://www.potaroo.net/ispcol/2007-05/6pong.html
Is something bigger going on that we don't know about? Just wondering.
How is this different to source routing packets in IPv4? Surely people will just configure firewalls and hosts to drop these packets in exactly the same way as is done for IPv4 now.
Got to love new tech biting you in the butt.
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
this post in over an hour old and i haven't seen
1: any jokes about how in solviet russia packets route YOU
2: any assertions that somehow microsoft or the *IAA are to blame
3: ????
4: profit!
note: not a networking guru and didn't even now it was possible to order a route, but if so, think of the possibilities to avoid known bogus "areas" of the web. Badguy's nodes, evil big brother nodes, "great firewall" nodes, etc.
What's more, IPv4+NAT (as standard) doesn't give you half the features of IPv6. I've listed them before, I'll list them again here. Sure, not many use them NOW, but most of these are major areas of growth and Internet-aware devices will (sooner or later) have to use IPv6 to get the support they need.
There are probably a whole bunch of other advantages not listed here. Go to your local USAGI dealership and test drive an IPv6 today.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Why don't you go and visit Estonia first before spewing garbage like that? Estonians are extremely slim and fit.
In fact I would bet almost anything that the only fat people you see on the street in Tallinn are either Russians or American tourists.
Why can't you do this with a $0 Linux machine?
Perhaps it's because IPv6 is a poorly designed, insecure solution in search of a problem?
Nice rant though.
It's a good thing that nobody is using IPv6. Otherwise we might have to worry about this exploit! ;)
Oh. No, wait, he said IPv6. Ok, then we got a little time to fix it. Even though it's about due in 2 years to become the next big thing. It has to, it's been due in 2 years for about 10 years now.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
This is particularly interesting to myself since I'm in the midst of working one of our companies products to be "IPv6 Ready" logo certified and DoD approved for their new buying cycle next year (which I am told all products must be to be on the "list"). I wonder if this will push that deadline back any...
The parent is quite an informative link, and as an additional positive, it's not on El Reg. ;)
Some history and information:
The earlier drafts of the IPv6 RFCs had limited the Type 0 routing addresses to 23 per extension header. The current limit is theoretically 128, though maximum packet size through any one link will tend to get in the way.
The number of times an IPv6 packet may ping-pong is limited by the Hop Limit field, which is an 8 but unsigned integer (i.e. 255 times).
While it is true that a very permissive router or host may process a packet with more than one Type 0 routing header, RFC 2460 strongly recommends that a router or host only process one such extension header.
One product that has been designed to locate implementation problems with IPv6 stacks (it can't do anything about design flaws!) is the Maxwell product from http://www.iwl.com/. Truth in advertising requires that I point out I helped create some of the test cases for that product (however, I am not an employee of IWL or own any equity or options on equity in the company).
Isn't the conventional wisdom that due to the end-to-end argument, it's OS and application problem by definition?
In any case, Estonia writes with Latin characters and the language is more like Finnish than anything else, apparently.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
You know those spam emails that have a nonsensical sentence or paragraph followed by a hot tip on cheap stocks??? yea this anonymous post reminds me of those emails... at least i can delete the emails..
Cheers from Soviet Estonia!
No words of wisedom here.
I don't really like IPv6 for several reasons, which I won't go into here.
But one thing IPv6 would solve for me is this problem:
My (Japanese) ISP is not anxious to have me serving the web from my house. (Not sure if I blame them, if there were a lot of people like me among their customers they'd probably have to start metering us and charging a few yen per GB of upload over some limit each month.) Anyway, a single static IP address from them would cost JPY6000 a month, if I remember right (and if things haven't changed).
IPv6 would take away their excuse for asking for so much money. I'm guessing they'd be hard pressed to find an excuse for not giving me a whole range of static addresses.
Of course, they could claim something about security and require DHCP anyway, I suppose.
The point is, the internet is supposed to evolve until every home has a communications server in their phone. Want a blog? On your own server. Blog gets popular? pay your ISP USD3.00 a month or something to mirror it. Mail? Web site? News? Etc.? On your phone.
NAT in its present form takes too much tweaking to do that.
As a protocol, IPv6 seems to have so many glaring omissions or just bad engineering issues. The first one... no use of firewalls or NAT devices. Hello here... firewalls are critically needed on the Internet, and many laws and regulations specify use of one. Now this... Guess most companies which value their reputations will be sticking with v4 until Doomsday.
Maybe he things IPv6 would prevent hiding behind a NAT.
Because it seems to me that this could be useful, so it makes sense to still forward these sorts of packets along.. but the default would be to do it optimally rather than following the explicit route.
One possible and very practical use for this could be to send data across networks that don't happen share the same address space (ignoring the fact that IPv6 gives you so many addresses that you probably wouldn't ever _need_ to use different address spaces, it's still potentially possible that somone might _want_ to do this). So you use source routing to go first to the system that acts as the gateway between them and then the next IP in the list is on the other network.
File under 'M' for 'Manic ranting'
My mother speaks Estonian and can with some level of adaptation understand and express herself in a way that is understood by the Finnish, which I know for certain as my father is Finnish. Unfortunately, as I grew up in Sweden and was too much of an ungrateful kid to actually learn the languages of my parents, I can't directly comment on the similarity of the languages.
I second the opinion that the reference to an 'Estonian teenager' isn't very appropriate. It continues a strong, traditional and completely wrong tradition to separate 'us' and 'them'.
The patch was released on April 27. Now that's quick!
The OpenBSD project does a great job with security; other development teams could learn a lot from them.
Are you one of those people wanting to call DRM what ever it was, dce(?)
RCO is the thing the greater audience knows as the russian mafia.
Can't this be done with a $300 Windows machine? Are they trying to piss off as many small groups of people as they can in a general negative comment like this??
Sweet! A second article I can ignore before commenting on this attack!
Neither does IPv4 - these things are seperate to the spec and could be added on to IPv6 as well - although NAT is a kludge to get around running out of addresses which you would not currently need for IPv6.
There are a lot of IPv6 firewalls out there, the traffic has to be routed to get to you and your firewall at the incoming connection can block everything other than the required ports so long as it can understand IPv6.
There's some good books out there on networking. I recommend the O'Reilly one with the crab on the cover to avoid furthur embarrassment. The old editions likely to be found in a library probably still cover IPv6 (too old and it will be describing this new NAT thing).
In a study on kids, it was shown that the average US kids has less of a grasp on how the world is than the average kids of other continents. How was this done ? They were all asked to make a rough map of all continent. Although all kids had a tendency to make their own continent a bit bigger in proportion to the rest of the world, the biggest & msot extrem deformation was with US kids which in many case only drew the north american continent with some "blob" beside N-A representing the other continent. So this study clearly made a quantified demonstration that at least in low grade US kids have a less good grasp on geography than other kids.
Now granted this cannot be expanded to say "US adult do have too less a grasp on geography" but some annedoctial evidence with CNN (showing Austria as Hungria on TV If I remmember, and other of the same type) at least give an indication that at some level this might not be completly false to pretend that US adult have a poor grasp on world geography too. And if I may add, on world politic too, but that is my opinion.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
And where does Elbonia fit in?
mmm mud
Instead of making the next generation IP standard a simple extension that makes address fields a little larger and maybe fixes one or two long standing bugs, the IPv6 people redesigned things from scratch.
It's no wonder people are reluctant to adopt IPv6.
http://jyte.com/cl/estonian-teenagers-run-linux-gr eedy-estonian-teenagers-run-windows-from-piratebay .org
NAT is *not* a security mechanism.
Whether or not it was intended, NAT *is* a security mechanism. Obviously not the best or the prettiest, but to say it provides no additional security is just ignorant.
Th "security" of NAT is a side effect of it BREAKING the peer to peer model of the internet.
Side effect or not, it provides additional security no matter how you look at it. From a purist's point of view, it certainly does break the peer to peer model of the internet. But from a practical user's standpoint, it rarely if ever breaks anything, provides additional functionality and security, and is usually brain-dead simple to implement.
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
Excuse me, but i believe Russians are the DDOS attackers, specially lately, when they are bombing Estonia IT networks because of their stupid monument.
I live in Estonia, and no, i don't speak Russian language.
Now, maybe a big part of the world doesn't even know where Estonia is, but We are quite advanced IT country, here's some examples:
* We got National ID cards - and loads of services that use it as identification
* We just launched a cellphone based ID service, that basically replaces the need for a smart card reader and allows identification from anywhere in Estonia.
* We have E-Government
* Our internet banks are surely in the top 3 world wide from feature perspective
* And last, but not least, there's Skype
syn ack syn ack syn ack aieeeee thud!
The purpose of existence is to make money.
The CanSecWest presentation that started all this is available here.
"RH0 support allows attackers to amplify denial-of-service attacks on IPv6 infrastructure by a factor of at least 80."
You see, the "911 times 100" joke worked because it was a number, RH0 isnt even hex. For shame.
DragonflyBSD 1.4.x, 1.6.x, and 1.8.x systems have already been patched.
This very serious message urging all users to upgrade was posted on their mailing list earlier this week: DFBSD Message 2007/5/63
I second the motion.
"Yes. Want to do a file transfer between your machine and your friend's, when both of you are on mobile connections? Well, it's pretty easy, your IP is 10.23.45.102 and his is 10.24.53.12, on of you just needs to connect to the other. Oh, you're using different mobile providers? And you're on different instances of the 10/8 private subnet? Well, then you're screwed, unless one of you happens to have a server outside the enormous NAT'd range that you can use as an intermediate."
Nobody cares about doing a transfer between IP addresses. They DO care about doing a transfer between text names that are easy to remember. And with that, it makes no difference if you're using IPv4 or IPv6.
What IPv6 can buy you is less overhead in the routing required. But routing is cheap enough nowadays, which is one of the reasons why IPv6 hasn't taking off.
this isnt a bug its a hidden feature. its in place because ipv6 was made by the dark side of the force
(With Chicaga twang) Like Kansas and Kentucky, Dey're over by dere.
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
Can you elaborate on "Multicasting the ISP's can't turn off"? Or, in general, how does IPV6 address any of the issues that have prevented widespread multicast support?
That IPv4 is not intelligently designed?
XML is like violence. If it doesn't solve the problem, use more.
Eplicit source routing isn't the only way some attacker could amplify /48 (or whatever your upstream gives you).
h tml
their DOS attack. A very common problem with IPv6 is that folks forget
to set a reject route to absorb their unused networks. Without someting
in the ipv6 routing table to tell the gateway machine that these addresses
are "mine" but unused, the packets will get sent back up the default route
to the upstream gateway. That gateway will notice that the packet is meant for your net and will send it right back. Some attacker that notices this misconfiguration can then proceed to send packets with a very long TTL and proceed to have the packet bounce up and down the link approximately 250 times. The fix is to set up a reject route
for your assigned
My notes from just setting up an ipv6 tunnel under FC6 (fedora).
http://www.wsrcc.com/wolfgang/fedora/ipv6-tunnel.
Is that why they all but wiped out many of those tribes you just mentioned ?
...
... without tyrannical rulers and enforced, draconian, social homogenization.
If you want to know what happened to the American Indians you can ask them - or their mixed-race descendants. Like my wife. Or a significant number of my friends. (Unfortunately it's a couple years too late to ask the person who was perhaps my closest (just) friend for four decades...)
There was a lot of death due to European diseases. But contrary to popular myth, germ warfare was NOT used against them by the US. (One English general did do it before the Revolution.) When epidemics got started the Indians and non-Indian settlers worked together to try to mitigate them: Disease like smallpox were a threat to all.
Tribes were some of the first adopters of the smallpox vaccine. (The Sioux had a gold medal struck and sent to Jenner.)
The Indians are still here - in large numbers. (The Mohicans periodically issue press releases to point out that, contrary to the book title, they're still around. B-) ) There aren't a lot of fullbloods - but there aren't a lot of full-blooded English-Americans, or French-Americans, or Whatever-Americans, either. There was a lot of intermarriage. Many of those of Indian ancestry found it convenient not to mention it - sometimes even to their offspring.
"Redneck" isn't just about getting your neck sunburned if you work outdoors and have a short haircut. It's also about having a high likelyhood of some Indian bloodline. Many of the Indians - both fullblood and partbreed - have assimilated into the general population of the US. They're farmers and ranchers, civil engineers, high-iron workers, merchants, professors, computer scientists, nanotechnologists,
Well how's that working out for ya ?
A lot better than you'd think if you're depending on the media - especially ours - to tell you. B-) And a WHOLE lot better, over virtually all of the last quarter-millenium, than the European alternatives.
BTW, if you can show me a link to a world map showing the locations of all those tribes you mentioned I'd appreciate it
Here you go. There are links to a full-sized PDF and an index. The ones outside the continental US can be found easily as well.
- but in the meantime, the subject was COUNTRIES.
These ARE countries. THAT was my POINT. Most of them just happen to be surrounded by various parts of the United States.
"Indian nation" is NOT a feel-good term used by the soppy-headed. It's a literal, legal, reality. These are independent, sovereign nations, with their own territories, borders, and so on. Most of them have treaty-based alliances with the US federal government. Some don't. They have automatic US citizenship - much like the citizens of Puerto Rico. They are exempt from some US taxes - which ones depend on treaty terms and whether they're living on the res or off it. Some tribes receive ongoing payments - think "rent" - as part of whatever settlement allowed non-tribal members to settle some of their lands.
They're countries in an alliance with the US. They have more independence than the "several states" (which subordinated all their foreign policy, interstate commerce regulation, and currency matters to the federation). They're also far more independent of the US than satellites of the USSR (such as Estonia) were of Russia - or than the member states of the European Union are likely to be of their own central government within a couple decades.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Now where can I bone up on the info you mentioned?
Start here. It has links to a lot of useful stuff, mainly on US Government sites.
Google is your friend. Things like info on the Six Nations' declaration of war on the Germans are easy to find with searches like "Iroquois war Germany".
Speaking of whom: It was the Iroquios Confederacy that was the main inspiration - primarily through Franklin - for the structure of the federal government of the United States. Prior to the discovery of their working Republic and its long history (which has been described as "outdoing the Romans"), the history of democracy and republican forms in Europe - particularly certain episodes from Greece - were used as royalist propaganda. They were cautionary tales about why government of the people was doomed to failure and despotic rule by a member of an elite was allegedly necessary.
Quit a bit of this history has been unearthed in recent decades. A search for "Iroquois Franklin" will point you to quite a bit of it, such as full online text of Bruce Johansen's The Forgotten Founders
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way