Slashdot Mirror
IPv6 Flaw Could Greatly Amplify DDoS Attacks
tygerstripes writes "The Register has a story about the discovery of a flaw in part of the IPv6 specification which has experts scrambling to have the feature removed, or at least disabled by default. From the article: 'The specification, known as the Type 0 Routing Header (RH0), allows computers to tell IPv6 routers to send data by a specific route. Originally envisioned as a way to let mobile users to retain a single IP for their devices... RH0 support allows attackers to amplify denial-of-service attacks on IPv6 infrastructure by a factor of at least 80.' Paul Vixie, president of the Internet Systems Consortium, described the fault bluntly. 'It can be exploited by any greedy Estonian teenager with a $300 Linux machine.'"
n/t
was involved? If it weren't for those guys at sendmail, he'd be the number one source of Unix(tm) root exploits.
Please, if he were really that smart, he'd use an OLPC!
Clearly the problem here lies with Estonia, not IPv6.
That roughly translates to "It's so easy, an Estonian can do it".
Someone is gonna be buying them roast duck (with the mango salsa) soon.
You can hold down the "B" button for continuous firing.
Don't route stuff stupidly. Instead of banning RH0, make sure it doesn't do redundant routes.
Inventions have long since reached their limit, and I see no hope for further development.-- Frontinus, 1st cent. AD
Leave it in, but advise people to disable it for network security.
That already works for other problems, right?
Open Source Drum Kit, LPLC deve board - mjhdesigns.com
Well that covers a lot more people, then.
Where can I get one of these $300 Estonian Linux machines? To heck with Dellbuntu.
hey! It's not nice to call people nerds.
Hei! That's not a monkey on my arm, it's a chimpanzee!
Ahh - My eye!
The doctor said I'm not supposed to get Slashdot in it!
Why you say?
:)
Because IPv6 will never be implemented widely anyway.
Why will it not you say?
Because too many people are happy with the current IPv4 + NAT insanity that is in place now. Nevermind the fact that the insanely ridiculous kludge that is NAT and all of the insanely ridiculous mini-kludges (DynDNS, UDP Connection "Warming", etc.) that currently keep the internet glued together and working (sort of) like it is supposed to work probably cost as much or more time and energy that a multi-year dual-stack IPv4 to IPv6 transition would.
Ok, I'm done ranting.
Have a great weekend everyone!
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
You forgot his purple t-shirt with a picture of a tiger in yellow and green attacking a mouse. How could you forget the t-shirt? Especially that t-shirt!
Terrorists can't threaten a country's freedom and democracy. Only lawmakers and voters can do that.
As I understand it, it is not sufficient to simply ignoring the rthdr0 headers. To protect the infrastructure, the safest thing is for all implementations to immediately DROP any packets containing these headers to keep them from propagating further.
However, there are still people in the IETF who don't want to recognize the severity of their mistake. Why do we, as a community of implementors and consumers, continue to trust these guys as a protocol standards body? It is obvious that they don't understand how complexity is the enemy of security. They add features to protocols without any concrete examples of how the feature would be used, simply because they don't ever want to make a decision. Rather than saying "No, this feature is not worth the extra complexity, we are not going to include it", it is always "OK, we will allow this as an optional mode of operation".
In this case, this was done in a particularly egregious fashion, considering the security issues with source routing have been known since at least '93 or so (in IPv4).
IIRC, the main reason the transitional scheme was dropped was because routers would need to track more states. Like they're not going to be tracking gigantic numbers of states in order to have a workable authenticated source-routing system.
However, there is one good thing about this. People might finally realize IPv6 is NOT an addressing scheme, it is a very powerful protocol. (Would you believe I had to correct a senior network engineer on that yesterday?)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
http://www.potaroo.net/ispcol/2007-05/6pong.html
Is something bigger going on that we don't know about? Just wondering.
How is this different to source routing packets in IPv4? Surely people will just configure firewalls and hosts to drop these packets in exactly the same way as is done for IPv4 now.
I've been using IPv6 for nearly a decade, but most of the IPv6 traffic on my LAN is local to the LAN. There are very few interesting places on the Internet that have IPv6 addresses and fewer end users coming from IPv6 capable nodes.
Got to love new tech biting you in the butt.
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
What's more, IPv4+NAT (as standard) doesn't give you half the features of IPv6. I've listed them before, I'll list them again here. Sure, not many use them NOW, but most of these are major areas of growth and Internet-aware devices will (sooner or later) have to use IPv6 to get the support they need.
There are probably a whole bunch of other advantages not listed here. Go to your local USAGI dealership and test drive an IPv6 today.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
It's a good thing that nobody is using IPv6. Otherwise we might have to worry about this exploit! ;)
Oh. No, wait, he said IPv6. Ok, then we got a little time to fix it. Even though it's about due in 2 years to become the next big thing. It has to, it's been due in 2 years for about 10 years now.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
This is particularly interesting to myself since I'm in the midst of working one of our companies products to be "IPv6 Ready" logo certified and DoD approved for their new buying cycle next year (which I am told all products must be to be on the "list"). I wonder if this will push that deadline back any...
Some history and information:
The earlier drafts of the IPv6 RFCs had limited the Type 0 routing addresses to 23 per extension header. The current limit is theoretically 128, though maximum packet size through any one link will tend to get in the way.
The number of times an IPv6 packet may ping-pong is limited by the Hop Limit field, which is an 8 but unsigned integer (i.e. 255 times).
While it is true that a very permissive router or host may process a packet with more than one Type 0 routing header, RFC 2460 strongly recommends that a router or host only process one such extension header.
One product that has been designed to locate implementation problems with IPv6 stacks (it can't do anything about design flaws!) is the Maxwell product from http://www.iwl.com/. Truth in advertising requires that I point out I helped create some of the test cases for that product (however, I am not an employee of IWL or own any equity or options on equity in the company).
Perhaps you should explain to him what Tallinn is before he tries ordering one at a restaurant.
Isn't the conventional wisdom that due to the end-to-end argument, it's OS and application problem by definition?
What's so insecure about IPv6?
In any case, Estonia writes with Latin characters and the language is more like Finnish than anything else, apparently.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
I don't know how you still have a positive score for that comment. Have you ever met Paul Vixie? I have. He's a great man with a good sense of humor (see http://en.wikiquote.org/wiki/Paul_Vixie). Now can we just take this quote to mean that exploiting this part of the IPv6 specification has an extremely low barrier to entry as it was intended and move along?
You know those spam emails that have a nonsensical sentence or paragraph followed by a hot tip on cheap stocks??? yea this anonymous post reminds me of those emails... at least i can delete the emails..
Cheers from Soviet Estonia!
No words of wisedom here.
I don't really like IPv6 for several reasons, which I won't go into here.
But one thing IPv6 would solve for me is this problem:
My (Japanese) ISP is not anxious to have me serving the web from my house. (Not sure if I blame them, if there were a lot of people like me among their customers they'd probably have to start metering us and charging a few yen per GB of upload over some limit each month.) Anyway, a single static IP address from them would cost JPY6000 a month, if I remember right (and if things haven't changed).
IPv6 would take away their excuse for asking for so much money. I'm guessing they'd be hard pressed to find an excuse for not giving me a whole range of static addresses.
Of course, they could claim something about security and require DHCP anyway, I suppose.
The point is, the internet is supposed to evolve until every home has a communications server in their phone. Want a blog? On your own server. Blog gets popular? pay your ISP USD3.00 a month or something to mirror it. Mail? Web site? News? Etc.? On your phone.
NAT in its present form takes too much tweaking to do that.
As a protocol, IPv6 seems to have so many glaring omissions or just bad engineering issues. The first one... no use of firewalls or NAT devices. Hello here... firewalls are critically needed on the Internet, and many laws and regulations specify use of one. Now this... Guess most companies which value their reputations will be sticking with v4 until Doomsday.
Maybe he things IPv6 would prevent hiding behind a NAT.
Because it seems to me that this could be useful, so it makes sense to still forward these sorts of packets along.. but the default would be to do it optimally rather than following the explicit route.
One possible and very practical use for this could be to send data across networks that don't happen share the same address space (ignoring the fact that IPv6 gives you so many addresses that you probably wouldn't ever _need_ to use different address spaces, it's still potentially possible that somone might _want_ to do this). So you use source routing to go first to the system that acts as the gateway between them and then the next IP in the list is on the other network.
File under 'M' for 'Manic ranting'
a racial slur
:P
Being Estonian is not a slur, sir, it's a compliment!
It all depends on your point of view, racist
Seven puppies were harmed during the making of this post.
My mother speaks Estonian and can with some level of adaptation understand and express herself in a way that is understood by the Finnish, which I know for certain as my father is Finnish. Unfortunately, as I grew up in Sweden and was too much of an ungrateful kid to actually learn the languages of my parents, I can't directly comment on the similarity of the languages.
I second the opinion that the reference to an 'Estonian teenager' isn't very appropriate. It continues a strong, traditional and completely wrong tradition to separate 'us' and 'them'.
The patch was released on April 27. Now that's quick!
The OpenBSD project does a great job with security; other development teams could learn a lot from them.
The original reason I got an IPv6 connection was to see what it took to set up an IPv6 network, and I had this T1 to Sprint and Sprint offered free tunnels to the 6bone so, I figured, why not? I mean, IPv6 was the next big thing (or so they told me) in the late 90's, so I was trying to be ahead of the curve. Eventually, I set up tunnels between my ISP and what was then my day job and my house and I (briefly) enjoyed the benefits of being able to SSH directly from one workstation behind a NAT connection to another workstation behind a different NAT connection. Yahoo.
When my ISP went under, and the 6bone went away, I got a connection to one of the public tunnel brokers, and it worked for a while. Then I changed my feed to Time Warner and the first cablemodem filtered protocol 41, so the tunnel wouldn't work no matter what I did. After replacing the cablemodem for other reasons, (and waiting long enough for me to wonder if it would work with the new equipment) I was able to get a tunnel to a tunnel broker and I've had a block of addresses ever since. (2001:5c0:8305::/48, in case you're wondering.) Some people have a garden. I have a home network and I enjoy puttering about with it from time to time. (The rest of the time it's a freakin' nuisance.)
Can't this be done with a $300 Windows machine? Are they trying to piss off as many small groups of people as they can in a general negative comment like this??
Neither does IPv4 - these things are seperate to the spec and could be added on to IPv6 as well - although NAT is a kludge to get around running out of addresses which you would not currently need for IPv6.
There are a lot of IPv6 firewalls out there, the traffic has to be routed to get to you and your firewall at the incoming connection can block everything other than the required ports so long as it can understand IPv6.
There's some good books out there on networking. I recommend the O'Reilly one with the crab on the cover to avoid furthur embarrassment. The old editions likely to be found in a library probably still cover IPv6 (too old and it will be describing this new NAT thing).
In a study on kids, it was shown that the average US kids has less of a grasp on how the world is than the average kids of other continents. How was this done ? They were all asked to make a rough map of all continent. Although all kids had a tendency to make their own continent a bit bigger in proportion to the rest of the world, the biggest & msot extrem deformation was with US kids which in many case only drew the north american continent with some "blob" beside N-A representing the other continent. So this study clearly made a quantified demonstration that at least in low grade US kids have a less good grasp on geography than other kids.
Now granted this cannot be expanded to say "US adult do have too less a grasp on geography" but some annedoctial evidence with CNN (showing Austria as Hungria on TV If I remmember, and other of the same type) at least give an indication that at some level this might not be completly false to pretend that US adult have a poor grasp on world geography too. And if I may add, on world politic too, but that is my opinion.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
First of all, I think you can make a pretty good argument that Estonian is not a race. Nationality? Yes. Ethnicity? OK. Race? Estonians are white, so no, Estonian is not a race. White is a race.
Secondly, it's well attested that Eastern Europe is a major center of online criminal activity. As someone who has been in the security field for the past four years, I can say that there are days when I wish I could put a firewall around all of it, to keep things *in*
The assumption that it would be a teenager is actually the part least likely to be accurate. It could be - they call them script kiddies for a reason - OTOH, a lot of adults are involved in computer crime, and they are involved in it for profit.
While his remark was flippant, it was not nearly as inaccurate as you might think.
Instead of making the next generation IP standard a simple extension that makes address fields a little larger and maybe fixes one or two long standing bugs, the IPv6 people redesigned things from scratch.
It's no wonder people are reluctant to adopt IPv6.
NAT is *not* a security mechanism.
Whether or not it was intended, NAT *is* a security mechanism. Obviously not the best or the prettiest, but to say it provides no additional security is just ignorant.
Th "security" of NAT is a side effect of it BREAKING the peer to peer model of the internet.
Side effect or not, it provides additional security no matter how you look at it. From a purist's point of view, it certainly does break the peer to peer model of the internet. But from a practical user's standpoint, it rarely if ever breaks anything, provides additional functionality and security, and is usually brain-dead simple to implement.
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
Excuse me, but i believe Russians are the DDOS attackers, specially lately, when they are bombing Estonia IT networks because of their stupid monument.
I live in Estonia, and no, i don't speak Russian language.
Now, maybe a big part of the world doesn't even know where Estonia is, but We are quite advanced IT country, here's some examples:
* We got National ID cards - and loads of services that use it as identification
* We just launched a cellphone based ID service, that basically replaces the need for a smart card reader and allows identification from anywhere in Estonia.
* We have E-Government
* Our internet banks are surely in the top 3 world wide from feature perspective
* And last, but not least, there's Skype
syn ack syn ack syn ack aieeeee thud!
The purpose of existence is to make money.
The CanSecWest presentation that started all this is available here.
I got it.
It's like saying: "everything's so simple, even an American can figure it out."
DragonflyBSD 1.4.x, 1.6.x, and 1.8.x systems have already been patched.
This very serious message urging all users to upgrade was posted on their mailing list earlier this week: DFBSD Message 2007/5/63
define "Eastern Europe".
Estonia is not Romania or Bulgaria.
It's a small, moderately prosperous and racis^WWestern Democratic Values bla bla bla country in /Northern/ Europe.
Most Estonian will be happy to explain you how *all* the crime in their country is carried out by Russians or more recent immigrants. You know, stuff as usual.
this isnt a bug its a hidden feature. its in place because ipv6 was made by the dark side of the force
(With Chicaga twang) Like Kansas and Kentucky, Dey're over by dere.
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
I am TheRaven on Soylent News
Can you elaborate on "Multicasting the ISP's can't turn off"? Or, in general, how does IPV6 address any of the issues that have prevented widespread multicast support?
That IPv4 is not intelligently designed?
XML is like violence. If it doesn't solve the problem, use more.
Is that why they all but wiped out many of those tribes you just mentioned ?
...
... without tyrannical rulers and enforced, draconian, social homogenization.
If you want to know what happened to the American Indians you can ask them - or their mixed-race descendants. Like my wife. Or a significant number of my friends. (Unfortunately it's a couple years too late to ask the person who was perhaps my closest (just) friend for four decades...)
There was a lot of death due to European diseases. But contrary to popular myth, germ warfare was NOT used against them by the US. (One English general did do it before the Revolution.) When epidemics got started the Indians and non-Indian settlers worked together to try to mitigate them: Disease like smallpox were a threat to all.
Tribes were some of the first adopters of the smallpox vaccine. (The Sioux had a gold medal struck and sent to Jenner.)
The Indians are still here - in large numbers. (The Mohicans periodically issue press releases to point out that, contrary to the book title, they're still around. B-) ) There aren't a lot of fullbloods - but there aren't a lot of full-blooded English-Americans, or French-Americans, or Whatever-Americans, either. There was a lot of intermarriage. Many of those of Indian ancestry found it convenient not to mention it - sometimes even to their offspring.
"Redneck" isn't just about getting your neck sunburned if you work outdoors and have a short haircut. It's also about having a high likelyhood of some Indian bloodline. Many of the Indians - both fullblood and partbreed - have assimilated into the general population of the US. They're farmers and ranchers, civil engineers, high-iron workers, merchants, professors, computer scientists, nanotechnologists,
Well how's that working out for ya ?
A lot better than you'd think if you're depending on the media - especially ours - to tell you. B-) And a WHOLE lot better, over virtually all of the last quarter-millenium, than the European alternatives.
BTW, if you can show me a link to a world map showing the locations of all those tribes you mentioned I'd appreciate it
Here you go. There are links to a full-sized PDF and an index. The ones outside the continental US can be found easily as well.
- but in the meantime, the subject was COUNTRIES.
These ARE countries. THAT was my POINT. Most of them just happen to be surrounded by various parts of the United States.
"Indian nation" is NOT a feel-good term used by the soppy-headed. It's a literal, legal, reality. These are independent, sovereign nations, with their own territories, borders, and so on. Most of them have treaty-based alliances with the US federal government. Some don't. They have automatic US citizenship - much like the citizens of Puerto Rico. They are exempt from some US taxes - which ones depend on treaty terms and whether they're living on the res or off it. Some tribes receive ongoing payments - think "rent" - as part of whatever settlement allowed non-tribal members to settle some of their lands.
They're countries in an alliance with the US. They have more independence than the "several states" (which subordinated all their foreign policy, interstate commerce regulation, and currency matters to the federation). They're also far more independent of the US than satellites of the USSR (such as Estonia) were of Russia - or than the member states of the European Union are likely to be of their own central government within a couple decades.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Now where can I bone up on the info you mentioned?
Start here. It has links to a lot of useful stuff, mainly on US Government sites.
Google is your friend. Things like info on the Six Nations' declaration of war on the Germans are easy to find with searches like "Iroquois war Germany".
Speaking of whom: It was the Iroquios Confederacy that was the main inspiration - primarily through Franklin - for the structure of the federal government of the United States. Prior to the discovery of their working Republic and its long history (which has been described as "outdoing the Romans"), the history of democracy and republican forms in Europe - particularly certain episodes from Greece - were used as royalist propaganda. They were cautionary tales about why government of the people was doomed to failure and despotic rule by a member of an elite was allegedly necessary.
Quit a bit of this history has been unearthed in recent decades. A search for "Iroquois Franklin" will point you to quite a bit of it, such as full online text of Bruce Johansen's The Forgotten Founders
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
White is a race. Black is a race. I can think of a couple other skin colors that qualify, too.
/. is, umm, you.
Don't look now, but the dumbest thing on