[ipv6hackers] New IETF I-D on IPv6 smurf amplifiers

Fernando Gont fgont at si6networks.com
Thu Dec 15 14:25:03 CET 2011


Folks,

Particularly if you're running (or planning to run) non-local IPv6
multicast, you may be interested in reading this:
<http://tools.ietf.org/id/draft-gont-6man-ipv6-smurf-amplifier-00.txt>.

Note: This vector can also be exploited with normal link-local multicast
addresses, but for obvious reasons it becomes a more important issue
with non-local multicast.

Abstract:
---- cut here ----
   When an IPv6 node processing an IPv6 packet does not support an IPv6
   option whose two-highest-order bits of the Option Type are '10', it
   is required to respond with an ICMPv6 Parameter Problem error
   message, even if the Destination Address of the packet was a
   multicast address.  This feature provides an amplification vector,
   opening the door to an IPv6 version of the 'Smurf' Denial-of-Service
   (DoS) attack found in IPv4 networks.  This document discusses the
   security implications of the aforementioned options, and formally
   updates RFC 2460 such that this attack vector is eliminated.
   Additionally, it describes a number of operational mitigations that
   could be deployed against this attack vector.
---- cut here ----

Any feedback will be welcome.

Thanks!

Best regards,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492






More information about the Ipv6hackers mailing list