[ipv6hackers] Windows 7/2008 R2 Improved Resilliency to IPv6 Floods

Enno Rey erey at ernw.de
Mon Apr 1 07:27:08 CEST 2013


On Sun, Mar 31, 2013 at 09:55:17PM -0700, Doug Barton wrote:
> On 03/31/2013 09:09 PM, Jim Small wrote:
> >I have been testing some Windows 7 systems using Fernando and Marc's 
> >tools.  With a system that's up to date in patches I haven't been able to 
> >crash it.  The system is non-responsive during the attack, but when the 
> >attack ends the system usually recovers fairly quickly.  Not always - 
> >sometimes it takes a few minutes, but it still doesn't crash.
> >
> >I noticed from Sam Bowne that Microsoft released a new patch to improve 
> >Windows 7/2008 R2 IPv6 stacks here:
> >http://samsclass.info/ipv6/proj/RA_flood2.htm#2
> >
> > From reviewing the KB here:
> >http://support.microsoft.com/kb/2750841
> >Issue #2 addresses some of the vulnerabilities - If you use many IPv6 
> >address and IPv6 routes, the kernel memory is exhausted, and CPU usage 
> >reaches 100 percent.  This update limits the number of advertised prefixes 
> >and routes that each interface can process to 100.
> You might want to have a closer look at Issue #4 in that KB article, and 
> the surrounding conversation about it. Namely if you have some sort of 
> temporary interruption in your IPv6 connectivity at boot time you'll 
> lose IPv6 for the lifetime of the session.

to the best of my knowledge only a "positive" result of that query is cached (for 30 days) whereas a negative result leads to periodic re-trying. 
not sure if they try only once at system startup/stack initialization which you seem to imply.

btw, @Jim: given that the "Issue 4" related modification originally "derives" from Windows8 (see http://blogs.msdn.com/b/b8/archive/2012/06/05/connecting-with-ipv6-in-windows-8.aspx) I assume that Windows 8/2012 default behavior is like the one you observced. will test that shortly.



> Doug
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474
PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

Blog: www.insinuator.net || Conference: www.troopers.de

More information about the Ipv6hackers mailing list