[ipv6hackers] Windows 7/2008 R2 Improved Resilliency to IPv6 Floods

Jim Small jim.small at cdw.com
Mon Apr 1 15:01:52 CEST 2013

Hi Enno,

> I can confirm your observations, due to that stack behavior modification MS
> introduced more or less "silently" with the (Windows) update last November
> (described in the KB article you mentioned).
> And, yes, it's actually exactly 100 routes/prefixes that get processed.

Great - thanks.

> On Mon, Apr 01, 2013 at 04:09:57AM +0000, Jim Small wrote:
> > I have been testing some Windows 7 systems using Fernando and Marc's
> tools.  With a system that's up to date in patches I haven't been able to crash
> it.  The system is non-responsive during the attack, but when the attack ends
> the system usually recovers fairly quickly.  Not always - sometimes it takes a
> few minutes, but it still doesn't crash.
> Point is: can an affected system still communicate properly (over IPv6) after
> the attack? Think source address selection (which tends to already "fail" with
> much less addresses) and the like.

Agreed - node's original IPv6 address(es) are wiped out by an RA attack and replaced with random ones so it's still a DoS.  However, much better than crashing or node becoming unusable until reboot!  RA guard (including one that deals with fragmented RAs) still needed, just want to accurately represent the issue.

Did this stability enhancement make it into 8/2012 too?


More information about the Ipv6hackers mailing list