[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: first widely published relay as a dos issue

To: "Pekka Savola" <pekkas@netcore.fi>
Subject: RE: first widely published relay as a dos issue
From: "Christian Huitema" <huitema@windows.microsoft.com>
Date: Sat, 12 Jul 2003 08:49:12 -0700
Cc: "Randy Bush" <randy@psg.com>,<v6ops@ops.ietf.org>

> But still, I think there's something to learn from this case.  For
> example:

Absolutely!

> - even relatively low traffic counts can harm at least some of the
> deployed base
 
Yes, that looks like a real problem. It may be due to the relative newness of some of the implementations.  Maybe we need to have published benchmarks... 

> - (not mentioned here, but an issue in some other scenarios) IPv6 traffic
> may be free (for some), but IPv4 is not.  So, some operators may be
> hesitant to deploy or at least advertise a 6to4 relay -- this could mean
> they'd get in the harm's way because 6to4 relay would be doing
> encapsulation (esp. if it would be a full fledged relay)
 
Using the anycast address makes your relay harder to target -- the attacker does not know with certainty which relay will be hit! However, it seems that we operators only have a limited control on who can use their relay. Basically, the only real control is whether or not to advertise a route in BGP. Once a relay is advertised to some neighbor AS, there is no real mechanism to prevent re-advertisement. We may want to study some solution.

> -  the fewer 6to4 relays there are, the more probable it is *your* relay
>   gets in the way of a DoS attack.. :-/

We certainly need to deploy many more relays! 
-- Christian Huitema

Prev by Date: RE: first widely published relay as a dos issue
Next by Date: Re: first widely published relay as a dos issue
Previous by thread: Re: first widely published relay as a dos issue
Index(es):
- Date
- Thread