Slashdot Mirror

← Back to Stories (view on slashdot.org)

IPv6 Flaw Could Greatly Amplify DDoS Attacks

Posted by Zonk on from the please-avoid-the-obvious-holes dept.

tygerstripes writes "The Register has a story about the discovery of a flaw in part of the IPv6 specification which has experts scrambling to have the feature removed, or at least disabled by default. From the article: 'The specification, known as the Type 0 Routing Header (RH0), allows computers to tell IPv6 routers to send data by a specific route. Originally envisioned as a way to let mobile users to retain a single IP for their devices... RH0 support allows attackers to amplify denial-of-service attacks on IPv6 infrastructure by a factor of at least 80.' Paul Vixie, president of the Internet Systems Consortium, described the fault bluntly. 'It can be exploited by any greedy Estonian teenager with a $300 Linux machine.'"

10 of 258 comments (clear)

  1. Better idea by Watson+Ladd · · Score: 4, Interesting

    Don't route stuff stupidly. Instead of banning RH0, make sure it doesn't do redundant routes.

    --
    Inventions have long since reached their limit, and I see no hope for further development.-- Frontinus, 1st cent. AD
  2. Re:A better idea. by Anonymous Coward · · Score: 3, Interesting

    The problem is that it's a mandatory part of the spec. BTW, Microsoft is not affected: The Windows IPv6 stack doesn't implement that feature. (It is the equivalent to source routing in IPv4, which is not allowed anywhere.)

  3. Even better idea by jd · · Score: 2, Interesting
    Originally, IPv6 handled mobile IP by migrating the routing information up through the routers, and by using transitional IP addressing. You kept the same suffix, not the same address, as you moved from network to network. But for some certain length of time, you had both the old address and the new one. This allowed for a totally clean transition and has the same observable effect as source-based routing, but is not subject to this DDoS attack strategy.

    IIRC, the main reason the transitional scheme was dropped was because routers would need to track more states. Like they're not going to be tracking gigantic numbers of states in order to have a workable authenticated source-routing system.

    However, there is one good thing about this. People might finally realize IPv6 is NOT an addressing scheme, it is a very powerful protocol. (Would you believe I had to correct a senior network engineer on that yesterday?)

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  4. Nothing New by jjeffrey · · Score: 4, Interesting

    How is this different to source routing packets in IPv4? Surely people will just configure firewalls and hosts to drop these packets in exactly the same way as is done for IPv4 now.

  5. Re:Who gives a $%##? by Organic+Brain+Damage · · Score: 5, Interesting

    Nevermind the fact that the insanely ridiculous kludge...

    Check our DNA. We are, essentially, insanely ridiculous kludges. Nothing but organically accreted fixes to a long series of problems. Why should anyone be surprised that our technology mirrors this fundamental aspect of our selves?
  6. Estonian is like Finnish indeed - Not Russian by Siker · · Score: 3, Interesting

    My mother speaks Estonian and can with some level of adaptation understand and express herself in a way that is understood by the Finnish, which I know for certain as my father is Finnish. Unfortunately, as I grew up in Sweden and was too much of an ungrateful kid to actually learn the languages of my parents, I can't directly comment on the similarity of the languages.

    I second the opinion that the reference to an 'Estonian teenager' isn't very appropriate. It continues a strong, traditional and completely wrong tradition to separate 'us' and 'them'.

  7. Re:How many people use IPv6 by jguthrie · · Score: 2, Interesting
    The benefits? None that I can think of at the moment. In fact, while my initial connection was a pretty stable one to the 6bone through Sprint, the current connection is flaky as hell and it's a minor pain to keep checking it to make sure I can ping the other end of the tunnel. One of these days, I'll automate the testing and reconnection of it, but it'll have to wait until it's a whole lot more important to me. Mostly I just ignore it and test it when I think about it. The only thing that it hurts when it's done is if the place I'm getting to has an AAAA record, the attempted connection to the IPv6 address has to time out before it retries the IPv4 address, so a very few sites are slower.


    The original reason I got an IPv6 connection was to see what it took to set up an IPv6 network, and I had this T1 to Sprint and Sprint offered free tunnels to the 6bone so, I figured, why not? I mean, IPv6 was the next big thing (or so they told me) in the late 90's, so I was trying to be ahead of the curve. Eventually, I set up tunnels between my ISP and what was then my day job and my house and I (briefly) enjoyed the benefits of being able to SSH directly from one workstation behind a NAT connection to another workstation behind a different NAT connection. Yahoo.

    When my ISP went under, and the 6bone went away, I got a connection to one of the public tunnel brokers, and it worked for a while. Then I changed my feed to Time Warner and the first cablemodem filtered protocol 41, so the tunnel wouldn't work no matter what I did. After replacing the cablemodem for other reasons, (and waiting long enough for me to wonder if it would work with the new equipment) I was able to get a tunnel to a tunnel broker and I've had a block of addresses ever since. (2001:5c0:8305::/48, in case you're wondering.) Some people have a garden. I have a home network and I enjoy puttering about with it from time to time. (The rest of the time it's a freakin' nuisance.)

  8. Re:NOT COOL. by bheer · · Score: 1, Interesting

    Estonia's also home of the guys who created Kazaa (before it sold out and became adware). They then went on to create Skype (whose technicians still work out of Estonia IIRC), and now Joost.

    Estonia's one of the more happening places in the European VC scene due in no small part to their activities.

    --
    Go somewhere random
  9. Re:s anybody surprised that Paul Vixie by Anonymous Coward · · Score: 1, Interesting

    Trivia: Vixie (of BIND fame as indicated in parent) co wrote a book on sendmail. He sure knows how to pick em.

  10. Re:s anybody surprised that Paul Vixie by MROD · · Score: 4, Interesting

    Sendmail was the right tool for its time.

    This was a time when there were huge numbers of different network address formats which had to have mail routed to/from/between. That's why it's all about rewriting addresses and not about processing the message. It is also why it's so complex as it had to be flexible enough to handle IP, Usenet (i.e. bang paths), reversed domain-type addressing so you needed a complex language to deal with it.)

    Remember also, this was an age before the virus and when the most malicious thing was the war dialler or phone phreaker with his trusty 300baud accoustic coupler modem. Built in security and thinking about buffer overflows weren't really even in the background of the programmers minds back then.

    Times have changed, hence Sendmail just isn't an appropriate tool anymore, just like the stage coach. It doesn't mean that it's bad software.

    --

    Agrajag: "Oh no, not again!"