[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 6to4 security questions




Christian Huitema wrote:

There are however a number of mitigating factors:

1) The attack does not include a multiplier effect; the amount of
traffic directed at the target will be about equal to the amount of
traffic sent by the attacker.

Not necessarely. It depend on the protocol used on the reflectors.
If you can find a UDP protocol that echos n packets to an original
short incoming packet, you have a multiplier effect.

2) The attack packets go through a choke point, the 6to4 relay between
the laundering site and the target.

Not necessarely. If thousands of refletors are used, they will used
different relays.

3) The packets received by the target contain the address of the
relaying 6to4 site.

If (many) thousands of reflectors are used, each reflector can be
exercized only once and still create a massive DDOS.
Such an attack will be even harder to detect using packet sampling techniques.

4) The payload of the packets received by the target will be a response
generated by the laundering server, which limits any "magic packet"
issue.

If many reflectors are exercised, depending on the protocol used,
each DDOS packet may be different.

5) The attack only provides value if the attacker's IPv4 connection was
subject to ingress filtering, which is alas not a very common case.

True. But this will create disincentive for ISP to put ingress filtering
in place and ruin the effort of those who did.

Because of the absence of a magic packet effect, this attack is only
really powerful if it is practiced by a "fleet of zombies" using a large
number of reflectors.

Not really, you can use only a limited number of zombies (even a well
connected one is enough) if you can discover thousands of valid 6to4 addresses.
As the packets will be 'landered' by the 6to4 routers, it will be very hard
to trace the attack back to the zombie.

In short, yes it is a vulnerability, but it is not a terribly dangerous
one, and it is a vulnerability that will in any case disappear with
6to4, when sites receive native IPv6 connectivity. So, yes, a fix is
welcome; however, the fix should not be so drastic as to impede the
"autonomous deployment" advantage of 6to4.

See my comment in the other thread on 6to4 & Teredo vs Tunnel Broker.

- Alain.