[ipv6hackers] Status on NDP Exhaustion Attacks?
Marc Heuse
mh at mh-sec.de
Wed Sep 28 10:48:42 CEST 2011
Am 28.09.2011 01:59, schrieb Jim Small:
> Are there any new defenses for NDP Exhaustion attacks:
> http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf
>
> I have heard that Cisco has implemented some protection against this but I haven't uncovered any specifics just yet.
they have, I tried :-)
I'd need to look at my research data, but in memory Juniper fell to the
ground, same as e.g. Solaris (thats the only IPv6 related vulnerability
I found in Solaris btw, their stack is the best)
in the thc-ipv6 toolkit is a tool to test for this, flood_solicitate6.
and while at it, use flood_advertise6 for even more DOS fun ;-)
> The author's recommendation was to use smaller subnets that /64s.
> My experience from teaching networking is that VLSM/Subnetting adds
> complexity and that if all host/server networks in IPv6 could be /64s
> it would make networking easier.
the networks I have seen are often mixed. manual configured and using
SLAAC. and who wants to lay hand on every printer they put on the
network, etc.?
I think it has to stay at /64.
> Is there a good solution to this problem besides smaller subnets?
> --Jim
no good ones come to my mind, protection must be built into the router ...
Greets,
Marc
--
Marc Heuse
Mobil: +49 177 9611560
Fax: +49 30 37309726
www.mh-sec.de
Marc Heuse - IT-Security Consulting
Winsstr. 68
10405 Berlin
Ust.-Ident.-Nr.: DE244222388
PGP: FEDD 5B50 C087 F8DF 5CB9 876F 7FDD E533 BF4F 891A
More information about the Ipv6hackers
mailing list