[ipv6hackers] Windows 7/2008 R2 Improved Resilliency to IPv6 Floods

Doug Barton dougb at dougbarton.us
Mon Apr 1 07:30:29 CEST 2013

On 03/31/2013 10:27 PM, Enno Rey wrote:
> Hi,
> On Sun, Mar 31, 2013 at 09:55:17PM -0700, Doug Barton wrote:
>> On 03/31/2013 09:09 PM, Jim Small wrote:
>>> I have been testing some Windows 7 systems using Fernando and Marc's
>>> tools.  With a system that's up to date in patches I haven't been able to
>>> crash it.  The system is non-responsive during the attack, but when the
>>> attack ends the system usually recovers fairly quickly.  Not always -
>>> sometimes it takes a few minutes, but it still doesn't crash.
>>> I noticed from Sam Bowne that Microsoft released a new patch to improve
>>> Windows 7/2008 R2 IPv6 stacks here:
>>> http://samsclass.info/ipv6/proj/RA_flood2.htm#2
>>>  From reviewing the KB here:
>>> http://support.microsoft.com/kb/2750841
>>> Issue #2 addresses some of the vulnerabilities - If you use many IPv6
>>> address and IPv6 routes, the kernel memory is exhausted, and CPU usage
>>> reaches 100 percent.  This update limits the number of advertised prefixes
>>> and routes that each interface can process to 100.
>> You might want to have a closer look at Issue #4 in that KB article, and
>> the surrounding conversation about it. Namely if you have some sort of
>> temporary interruption in your IPv6 connectivity at boot time you'll
>> lose IPv6 for the lifetime of the session.
> to the best of my knowledge only a "positive" result of that query is cached (for 30 days) whereas a negative result leads to periodic re-trying.
> not sure if they try only once at system startup/stack initialization which you seem to imply.

You might want to test that and report your findings. There was 
non-trivial discussion about it when it first came out. I would be happy 
to be proven wrong.


More information about the Ipv6hackers mailing list