[ipv6hackers] flood_router26 video

Marc Heuse mh at mh-sec.de
Sun Nov 11 17:40:23 CET 2012

Hi Sam,

Am 10.11.2012 20:00, schrieb Sam Bowne:
> I made a video yesterday testing flood_router26,
> and it is indeed very powerful, much more than
> flood_router6.
> http://www.youtube.com/watch?v=ykameNXRLOo
> I now want to understand why it works.  Is there something written
> up about how it works, and exactly what it is sending?
> Perhaps a paper or conference presentation?

I presented it here:

The videos are not available yet, I guess that will take a few more weeks.

how it works is pretty simple. Each route entry in an RA packet makes
the linked list longer and takes more time, adds a neighbor entry etc.
hence using up RAM and CPU.
So if you flood the network, it is basically a similar mechanism like
the RA autoconfig flooding.
All OS with the exception of Linux (and I have not tested Solaris or
OpenBSD but everything else) is vulnerable against this one to very
different degrees, Windows gets lockedup or reboots (server 2012) other
get a high load and loose IPv6 connectivity (*BSD, OSX), etc.

How I make the attack more effective is that I put not one route entry
per RA but lots of them.
And basically the same is possible for autoconfig, if you put 16
prefix+autoconfig options in a RA packet, systems configure themselves
16 addresses ...

So thats why there are ~16 route and autoconfig option in each packet
flood_router26 generates. You can also have command line options to only
use route entries or autoconfig entries.

> I'll try figuring it out myself, but I'd like to refer to an
> authoritative source of information if possible.

well, you could just have emailed me ;-)


Marc Heuse

PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A

More information about the Ipv6hackers mailing list