[ipv6hackers] New IETF I-D on IPv6 smurf amplifiers
Fernando Gont
fgont at si6networks.com
Thu Dec 15 14:25:03 CET 2011
Folks,
Particularly if you're running (or planning to run) non-local IPv6
multicast, you may be interested in reading this:
<http://tools.ietf.org/id/draft-gont-6man-ipv6-smurf-amplifier-00.txt>.
Note: This vector can also be exploited with normal link-local multicast
addresses, but for obvious reasons it becomes a more important issue
with non-local multicast.
Abstract:
---- cut here ----
When an IPv6 node processing an IPv6 packet does not support an IPv6
option whose two-highest-order bits of the Option Type are '10', it
is required to respond with an ICMPv6 Parameter Problem error
message, even if the Destination Address of the packet was a
multicast address. This feature provides an amplification vector,
opening the door to an IPv6 version of the 'Smurf' Denial-of-Service
(DoS) attack found in IPv4 networks. This document discusses the
security implications of the aforementioned options, and formally
updates RFC 2460 such that this attack vector is eliminated.
Additionally, it describes a number of operational mitigations that
could be deployed against this attack vector.
---- cut here ----
Any feedback will be welcome.
Thanks!
Best regards,
--
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
More information about the Ipv6hackers
mailing list