Slashdot Mirror

← Back to Stories (view on slashdot.org)

IPv6 Flaw Could Greatly Amplify DDoS Attacks

Posted by Zonk on from the please-avoid-the-obvious-holes dept.

tygerstripes writes "The Register has a story about the discovery of a flaw in part of the IPv6 specification which has experts scrambling to have the feature removed, or at least disabled by default. From the article: 'The specification, known as the Type 0 Routing Header (RH0), allows computers to tell IPv6 routers to send data by a specific route. Originally envisioned as a way to let mobile users to retain a single IP for their devices... RH0 support allows attackers to amplify denial-of-service attacks on IPv6 infrastructure by a factor of at least 80.' Paul Vixie, president of the Internet Systems Consortium, described the fault bluntly. 'It can be exploited by any greedy Estonian teenager with a $300 Linux machine.'"

10 of 258 comments (clear)

  1. s anybody surprised that Paul Vixie by Anonymous Coward · · Score: 5, Funny

    was involved? If it weren't for those guys at sendmail, he'd be the number one source of Unix(tm) root exploits.

  2. $300 Linux box... as if by Ice+Wewe · · Score: 5, Funny

    Please, if he were really that smart, he'd use an OLPC!

  3. Estonia? by Anonymous Coward · · Score: 5, Funny

    Clearly the problem here lies with Estonia, not IPv6.

  4. NOT COOL. by game+kid · · Score: 5, Funny

    Paul Vixie, president of the Internet Systems Consortium, described the fault bluntly. 'It can be exploited by any greedy Estonian teenager with a $300 Linux machine.'

    That roughly translates to "It's so easy, an Estonian can do it".

    Someone is gonna be buying them roast duck (with the mango salsa) soon.

    --
    You can hold down the "B" button for continuous firing.
    1. Re:NOT COOL. by Professor_UNIX · · Score: 5, Funny

      Seriously though, estonia? Raise your hand if you know where that is.
      Maybe he meant to say Elbonia.
    2. Re:NOT COOL. by dch24 · · Score: 5, Funny

      I'm an American.

      I know where Estonia is. You insensitive clod.
      There. Fixed that for ya.
    3. Re:NOT COOL. by ivothamdrup · · Score: 5, Informative

      He may have chosen Estonia in particular because there's recently (in the last week) been DDoS attacks targeting Estonia's government websites.

      Those attacks were (still are, actually) carried out not by local "greedy teenagers", but top-level Russian authorities. The large-scale attacks were traced to IP addresses in Moscow owned by the Russian presidential administration and government.

  5. Insensitive Clod by Anonymous Coward · · Score: 5, Funny

    Where can I get one of these $300 Estonian Linux machines? To heck with Dellbuntu.

  6. Re:Who gives a $%##? by Organic+Brain+Damage · · Score: 5, Interesting

    Nevermind the fact that the insanely ridiculous kludge...

    Check our DNA. We are, essentially, insanely ridiculous kludges. Nothing but organically accreted fixes to a long series of problems. Why should anyone be surprised that our technology mirrors this fundamental aspect of our selves?
  7. Early IPv6 drafts had limited the Type 0 route len by Jim+Logajan · · Score: 5, Informative

    Some history and information:

    The earlier drafts of the IPv6 RFCs had limited the Type 0 routing addresses to 23 per extension header. The current limit is theoretically 128, though maximum packet size through any one link will tend to get in the way.

    The number of times an IPv6 packet may ping-pong is limited by the Hop Limit field, which is an 8 but unsigned integer (i.e. 255 times).

    While it is true that a very permissive router or host may process a packet with more than one Type 0 routing header, RFC 2460 strongly recommends that a router or host only process one such extension header.

    One product that has been designed to locate implementation problems with IPv6 stacks (it can't do anything about design flaws!) is the Maxwell product from http://www.iwl.com/. Truth in advertising requires that I point out I helped create some of the test cases for that product (however, I am not an employee of IWL or own any equity or options on equity in the company).