[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
On Wed, 11 Dec 2002, Alain Durand wrote:
> There are some aspects you somehow overlooked in your draft.
>
> 1. This attack by spoofing relay can be distributed to
> a huge number of reflectors (just have to find their address
> in the DNS). This changes quiet a lot of things, and
> makes tracing the attack and stopping it very difficult.
> For example, it is not clear how statistical analysis
> done on packet sampling will work.
I meant to write about these a bit, but seemingly forgot. (I don't see
this as a huge issue, as it seems to me that to succeed, this would
require at least hundreds of relay routers.)
If 6to4 router/node acts as a reflector, distributing the attacks to a
number of reflectors naturally makes the statistical analysis in them a
bit more difficult.
However, if 6to4 relay routers are still a bit more sparsely distributed,
most of the reflected traffic gets aggregated to smaller number of relays,
and then statistical analysis there might be doable.
> 2. If outgoing 6to4 relays get widely deployed and the attack
> uses a very large number of reflectors with just one zombie,
> it is not clear that the relays will act as a contention point...
This is a less dangerous attack (relays << routers).
> 3. ...but if they do, the attack is transformed from a DDOS attack
> on the fake IPv6 src to a DDOS attack on the relays!
I believe there are two issues that should perhaps be separated: attacks
against 6to4 infrastructure and general Internet (one could say that if an
attack can just harm the 6to4 mechanism itself, it's a bit more harmless).
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords