[ipv6hackers] Windows 7/2008 R2 Improved Resilliency to IPv6 Floods
Jim Small
jim.small at cdw.com
Mon Apr 1 15:01:52 CEST 2013
Hi Enno,
> I can confirm your observations, due to that stack behavior modification MS
> introduced more or less "silently" with the (Windows) update last November
> (described in the KB article you mentioned).
> And, yes, it's actually exactly 100 routes/prefixes that get processed.
Great - thanks.
> On Mon, Apr 01, 2013 at 04:09:57AM +0000, Jim Small wrote:
> > I have been testing some Windows 7 systems using Fernando and Marc's
> tools. With a system that's up to date in patches I haven't been able to crash
> it. The system is non-responsive during the attack, but when the attack ends
> the system usually recovers fairly quickly. Not always - sometimes it takes a
> few minutes, but it still doesn't crash.
>
> Point is: can an affected system still communicate properly (over IPv6) after
> the attack? Think source address selection (which tends to already "fail" with
> much less addresses) and the like.
Agreed - node's original IPv6 address(es) are wiped out by an RA attack and replaced with random ones so it's still a DoS. However, much better than crashing or node becoming unusable until reboot! RA guard (including one that deals with fragmented RAs) still needed, just want to accurately represent the issue.
Did this stability enhancement make it into 8/2012 too?
--Jim
More information about the Ipv6hackers
mailing list