Slashdot Mirror

← Back to Stories (view on slashdot.org)

IPv6 Flaw Could Greatly Amplify DDoS Attacks

Posted by Zonk on from the please-avoid-the-obvious-holes dept.

tygerstripes writes "The Register has a story about the discovery of a flaw in part of the IPv6 specification which has experts scrambling to have the feature removed, or at least disabled by default. From the article: 'The specification, known as the Type 0 Routing Header (RH0), allows computers to tell IPv6 routers to send data by a specific route. Originally envisioned as a way to let mobile users to retain a single IP for their devices... RH0 support allows attackers to amplify denial-of-service attacks on IPv6 infrastructure by a factor of at least 80.' Paul Vixie, president of the Internet Systems Consortium, described the fault bluntly. 'It can be exploited by any greedy Estonian teenager with a $300 Linux machine.'"

17 of 258 comments (clear)

  1. Re:NOT COOL. by Jarjarthejedi · · Score: 2, Insightful

    He forgot Estonia!...wait, no he didn't...okay then...

    Seriously though, estonia? Raise your hand if you know where that is. The only reason I ever recognize that is because I just finished a European History class where we had to memorize the current map of Europe, I'm sure if you asked me last year (or next year :P) I wouldn't know. Why not say just greedy teenager with a $300 Linux machine or, better yet, Greedy Nigerian Royalty with a $300 Linux machine.

    And why a $300 machine? If it can be done with Linux couldn't a greedy Estonian purchase some really cheap parts and build a $100 machine then install Linux on it? Or do all computers in Estonia cost $300 min?

    --
    There are two kinds of fool One says 'This is old therefore good' Another says 'This is new therefore better'- Dean Ing
  2. Who gives a $%##? by toadlife · · Score: 3, Insightful

    Why you say?

    Because IPv6 will never be implemented widely anyway.

    Why will it not you say?

    Because too many people are happy with the current IPv4 + NAT insanity that is in place now. Nevermind the fact that the insanely ridiculous kludge that is NAT and all of the insanely ridiculous mini-kludges (DynDNS, UDP Connection "Warming", etc.) that currently keep the internet glued together and working (sort of) like it is supposed to work probably cost as much or more time and energy that a multi-year dual-stack IPv4 to IPv6 transition would.

    Ok, I'm done ranting.

    Have a great weekend everyone! :)

    --
    I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
    1. Re:Who gives a $%##? by guruevi · · Score: 2, Insightful

      Hmm, just like people wouldn't switch from Coax to 8-wire UTP because Coax was more robust? Or people that wouldn't switch from Token Ring to Ethernet because Token Ring was better? Or people that wouldn't ever need the Internet? Or 640k is enough for anyone? Or "I'll never need/use a cell phone"? Or nobody will ever drop Netware...

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    2. Re:Who gives a $%##? by kestasjk · · Score: 3, Insightful

      I predict mobile carriers and devices will use it for VoIP, where it's a necessity, everyone else will follow.

      --
      // MD_Update(&m,buf,j);
    3. Re:Who gives a $%##? by Blondito · · Score: 2, Insightful

      Why ? Why is it a necessity ? Do you really think having publicly addressed cell phones and voip handsets in their millions on the internet is going to a be a good thing ? NAT might not be the prettiest idea around but it has advantages beyond just expanding the available ip address space, and the biggest advantage is security. Wouldn't it be great if I constantly had to patch my cell phone software because of venerability's.

      --
      Whoever controls the present controls the past, whoever controls the past controls the future
    4. Re:Who gives a $%##? by toadlife · · Score: 3, Insightful

      NAT is *not* a security mechanism.

      Th "security" of NAT is a side effect of it BREAKING the peer to peer model of the internet.

      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
  3. The IETF screwed the pooch on this one by possible · · Score: 4, Insightful

    As I understand it, it is not sufficient to simply ignoring the rthdr0 headers. To protect the infrastructure, the safest thing is for all implementations to immediately DROP any packets containing these headers to keep them from propagating further.

    However, there are still people in the IETF who don't want to recognize the severity of their mistake. Why do we, as a community of implementors and consumers, continue to trust these guys as a protocol standards body? It is obvious that they don't understand how complexity is the enemy of security. They add features to protocols without any concrete examples of how the feature would be used, simply because they don't ever want to make a decision. Rather than saying "No, this feature is not worth the extra complexity, we are not going to include it", it is always "OK, we will allow this as an optional mode of operation".

    In this case, this was done in a particularly egregious fashion, considering the security issues with source routing have been known since at least '93 or so (in IPv4).

    1. Re:The IETF screwed the pooch on this one by Trepalium · · Score: 4, Insightful

      Standards bodies attract certain types of people, and it's no real surprise that the IETF is infested with them now. Read an ITU standard some day if you want to know how bad it can be. There's a reason why we use TCP/IP instead of the OSI protocol, why we use SMTP instead of X.400, LDAP instead of X.500, etc. For a rather depressing story about standards bodies, read the Wikipedia article about ATM about the choice of 48-byte payloads. I seriously doubt the IETF will ever be able to exercise these people from it's midst. Many of them were placed there to represent the interests of a particular corporation. Even if you replace the IETF with another standards organization, these same people would simply be moved into that organization.

      --
      I used up all my sick days, so I'm calling in dead.
  4. Re:How many people use IPv6 by jguthrie · · Score: 3, Insightful

    I've been using IPv6 for nearly a decade, but most of the IPv6 traffic on my LAN is local to the LAN. There are very few interesting places on the Internet that have IPv6 addresses and fewer end users coming from IPv6 capable nodes.

  5. The Japanese? by jd · · Score: 4, Insightful
    They already deploy IPv6 nationally. Just because the US domestic market is more sluggish than a salted slug, it would be wrong to assume everyone else is as bad.

    What's more, IPv4+NAT (as standard) doesn't give you half the features of IPv6. I've listed them before, I'll list them again here. Sure, not many use them NOW, but most of these are major areas of growth and Internet-aware devices will (sooner or later) have to use IPv6 to get the support they need.

    • IPSec
    • Anycasting
    • Multicasting the ISPs can't turn off
    • Mobile IP
    • Mobile Networks
    • Extensible Headers
    • Router Discovery
    • Automatic Configuration
    • Per-destination MTU optimization

    There are probably a whole bunch of other advantages not listed here. Go to your local USAGI dealership and test drive an IPv6 today.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  6. Re:NOT COOL. by ObjetDart · · Score: 3, Insightful
    I'm an American.

    I know where Estonia is.

    I, like a significant percentage of my fellow citizens, do not support Bush, his administration, nor the neo-con obsession with war-as-a-solution-to-everything.

    You sound like a bigot and I resent your smug stereotyping of Americans.

    --
    I read Usenet for the articles.
  7. Re:NOT COOL. by QuickFox · · Score: 3, Insightful

    You're right. I'm sorry. Sometimes frustration makes me overreact. My reaction was stupid. It's not the American people I'm frustrated with, it's the Bush administration. It does irk me that the American people re-elected such a destructive administration, but they were swayed by very skillful propaganda. It's no excuse for my stupidly generalizing outburst.

    You're right. I'm sorry.

    --
    Terrorists can't threaten a country's freedom and democracy. Only lawmakers and voters can do that.
  8. Re:NOT COOL. by hardburn · · Score: 4, Insightful

    Quick! Find Liechtenstein on a map. How about San Marino? No cheating with Google Maps.

    There are a lot of countries and even more cultures within countries. Nobody can be expected to know all of them. While many Americans should be ashamed of not being able to find Iraq on a map, plenty of other countries play a much smaller role in world politics and nobody should blame anyone for not knowing about them.

    --
    Not a typewriter
  9. Re:Better idea by Watson+Ladd · · Score: 2, Insightful

    I did RTFM. What I meant is that each router along the path should check to make sure the route specified is not stupid, that is having the same IP address twice. If it does they should fix it.

    --
    Inventions have long since reached their limit, and I see no hope for further development.-- Frontinus, 1st cent. AD
  10. Re:NOT COOL. by smoker2 · · Score: 2, Insightful

    Much of the current population of the US are descendants of people who came here to get AWAY from all that - and figure out how to live together in peace ...
    Ha ha ha ha ha ha ha !

    Is that why they all but wiped out many of those tribes you just mentioned ?

    ... without tyrannical rulers and enforced, draconian, social homogenization.

    Well how's that working out for ya ?

    BTW, if you can show me a link to a world map showing the locations of all those tribes you mentioned I'd appreciate it - but in the meantime, the subject was COUNTRIES

    As for the rest of it, most of the rest of the world learn things about other countries and call it general knowledge. We don't regard our own particular neck of the woods as the be all and end all of everything that's important.

    There was a reason Team America always showed the distance from each foreign place to the US ...

  11. Intended or not... by ZxCv · · Score: 2, Insightful

    NAT is *not* a security mechanism.

    Whether or not it was intended, NAT *is* a security mechanism. Obviously not the best or the prettiest, but to say it provides no additional security is just ignorant.

    Th "security" of NAT is a side effect of it BREAKING the peer to peer model of the internet.

    Side effect or not, it provides additional security no matter how you look at it. From a purist's point of view, it certainly does break the peer to peer model of the internet. But from a practical user's standpoint, it rarely if ever breaks anything, provides additional functionality and security, and is usually brain-dead simple to implement.

    --

    Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
    1. Re:Intended or not... by Hatta · · Score: 2, Insightful

      NAT is not a security mechanism at all. Imagine the simplest nat configuration where you have a 1:1 correlation between the internal IP and the external IP. No security there. The security comes from blocking ports which can be done just by a firewall with no address translation. Just because most firewalls come with NAT doesn't mean they're the same thing.

      But from a practical user's standpoint, it rarely if ever breaks anything, provides additional functionality and security, and is usually brain-dead simple to implement.

      Hardly, it breaks peer to peer apps, DCC, AIM file transfers, etc. You have to manually configure it to allow those ports, and only one computer on the inside network can use those services at any time.

      --
      Give me Classic Slashdot or give me death!