[ipv6hackers] Windows 7/2008 R2 Improved Resilliency to IPv6 Floods

Enno Rey erey at ernw.de
Mon Apr 1 07:19:35 CEST 2013

Hi Jim,

I can confirm your observations, due to that stack behavior modification MS introduced more or less "silently" with the (Windows) update last November (described in the KB article you mentioned).
And, yes, it's actually exactly 100 routes/prefixes that get processed.

On Mon, Apr 01, 2013 at 04:09:57AM +0000, Jim Small wrote:
> I have been testing some Windows 7 systems using Fernando and Marc's tools.  With a system that's up to date in patches I haven't been able to crash it.  The system is non-responsive during the attack, but when the attack ends the system usually recovers fairly quickly.  Not always - sometimes it takes a few minutes, but it still doesn't crash.

Point is: can an affected system still communicate properly (over IPv6) after the attack? Think source address selection (which tends to already "fail" with much less addresses) and the like.



> I noticed from Sam Bowne that Microsoft released a new patch to improve Windows 7/2008 R2 IPv6 stacks here:
> http://samsclass.info/ipv6/proj/RA_flood2.htm#2
> >From reviewing the KB here:
> http://support.microsoft.com/kb/2750841
> Issue #2 addresses some of the vulnerabilities - If you use many IPv6 address and IPv6 routes, the kernel memory is exhausted, and CPU usage reaches 100 percent.  This update limits the number of advertised prefixes and routes that each interface can process to 100.
> I can confirm when I use Marc's flood_router26 that Windows gets about 100 random IPv6 addresses.  (OK, I didn't count them...)  So as Sam notes, it's still not as good as Linux but a huge improvement.  Hopefully this makes it to 8/2012 also.
> Can anyone else confirm this or have you seen different results?
>   --Jim
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474
PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

Blog: www.insinuator.net || Conference: www.troopers.de

More information about the Ipv6hackers mailing list