[ipv6hackers] Status on NDP Exhaustion Attacks?

Marc Heuse mh at mh-sec.de
Wed Sep 28 10:48:42 CEST 2011

Am 28.09.2011 01:59, schrieb Jim Small:
> Are there any new defenses for NDP Exhaustion attacks:
> http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf
> I have heard that Cisco has implemented some protection against this but I haven't uncovered any specifics just yet.

they have, I tried :-)

I'd need to look at my research data, but in memory Juniper fell to the
ground, same as e.g. Solaris (thats the only IPv6 related vulnerability
I found in Solaris btw, their stack is the best)

in the thc-ipv6 toolkit is a tool to test for this, flood_solicitate6.
and while at it, use flood_advertise6 for even more DOS fun ;-)

> The author's recommendation was to use smaller subnets that /64s.
> My experience from teaching networking is that VLSM/Subnetting adds
> complexity and that if all host/server networks in IPv6 could be /64s
> it would make networking easier.

the networks I have seen are often mixed. manual configured and using
SLAAC. and who wants to lay hand on every printer they put on the
network, etc.?
I think it has to stay at /64.

> Is there a good solution to this problem besides smaller subnets?
>   --Jim

no good ones come to my mind, protection must be built into the router ...


Marc Heuse
Mobil: +49 177 9611560
Fax: +49 30 37309726

Marc Heuse - IT-Security Consulting
Winsstr. 68
10405 Berlin

Ust.-Ident.-Nr.: DE244222388
PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A

More information about the Ipv6hackers mailing list