[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt



On Wed, 11 Dec 2002, Alain Durand wrote:
> There are some aspects you somehow overlooked in your draft.
> 
> 1. This attack by spoofing relay can be distributed to
>     a huge number of reflectors (just have to find their address
>     in the DNS). This changes  quiet a lot of things, and
>     makes tracing the attack and stopping it very difficult.
>     For example, it is not clear how statistical analysis
>     done on packet sampling will work.

I meant to write about these a bit, but seemingly forgot.  (I don't see 
this as a huge issue, as it seems to me that to succeed, this would 
require at least hundreds of relay routers.)

If 6to4 router/node acts as a reflector, distributing the attacks to a
number of reflectors naturally makes the statistical analysis in them a
bit more difficult.

However, if 6to4 relay routers are still a bit more sparsely distributed, 
most of the reflected traffic gets aggregated to smaller number of relays, 
and then statistical analysis there might be doable.
 
> 2. If outgoing 6to4 relays get widely deployed and the attack
>     uses a very large number of reflectors with just one zombie,
>     it is not clear that the relays will act as a contention point...

This is a less dangerous attack (relays << routers).

> 3. ...but if they do, the attack is transformed from a DDOS attack
>     on the fake IPv6 src to a DDOS attack on the relays!

I believe there are two issues that should perhaps be separated: attacks
against 6to4 infrastructure and general Internet (one could say that if an
attack can just harm the 6to4 mechanism itself, it's a bit more harmless).

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords