[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt



On Tue, 17 Dec 2002, Alain Durand wrote:
> >On Wed, 11 Dec 2002, Alain Durand wrote:
> >  
> >
> >>There are some aspects you somehow overlooked in your draft.
> >>
> >>1. This attack by spoofing relay can be distributed to
> >>    a huge number of reflectors (just have to find their address
> >>    in the DNS). This changes  quiet a lot of things, and
> >>    makes tracing the attack and stopping it very difficult.
> >>    For example, it is not clear how statistical analysis
> >>    done on packet sampling will work.
> >>    
> >>
> >
> >I meant to write about these a bit, but seemingly forgot.  (I don't see 
> >this as a huge issue, as it seems to me that to succeed, this would 
> >require at least hundreds of relay routers.)
> >
>
> Maybe I was not very clear, I meant a single zombie
> pretending to be a relay and sending a single packet
> to a very large number of 6to4 hosts with IPv6 src
> set to the victim machine.

Right, I misunderstood a part of your cases.

However, I believe this becomes a real pain in the case that there are
enough relays (in the degree of hundreds or thousands) so rate-limiting or
statistical analysis on _relays_ is not really possible; obviously 6to4
nodes/routers can't do much there -- but that's little different to
someone today sending a TCP SYN to Joe Random with forged source address.

The difference is mainly in that the attack is doable even if you're ipv4
ingress filtered as trace about real IPv4 address used in the attack is
lost at 6to4 routers.

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords