[ipv6hackers] Windows 7/2008 R2 Improved Resilliency to IPv6 Floods

Jim Small jim.small at cdw.com
Mon Apr 1 15:03:41 CEST 2013 

Hi Doug,

> > On Sun, Mar 31, 2013 at 09:55:17PM -0700, Doug Barton wrote:
> >> On 03/31/2013 09:09 PM, Jim Small wrote:
> >>> I have been testing some Windows 7 systems using Fernando and Marc's
> >>> tools.  With a system that's up to date in patches I haven't been able to
> >>> crash it.  The system is non-responsive during the attack, but when the
> >>> attack ends the system usually recovers fairly quickly.  Not always -
> >>> sometimes it takes a few minutes, but it still doesn't crash.
> >>>
> >>> I noticed from Sam Bowne that Microsoft released a new patch to
> improve
> >>> Windows 7/2008 R2 IPv6 stacks here:
> >>> http://samsclass.info/ipv6/proj/RA_flood2.htm#2
> >>>
> >>>  From reviewing the KB here:
> >>> http://support.microsoft.com/kb/2750841
> >>> Issue #2 addresses some of the vulnerabilities - If you use many IPv6
> >>> address and IPv6 routes, the kernel memory is exhausted, and CPU
> usage
> >>> reaches 100 percent.  This update limits the number of advertised
> prefixes
> >>> and routes that each interface can process to 100.
> >>
> >> You might want to have a closer look at Issue #4 in that KB article, and
> >> the surrounding conversation about it. Namely if you have some sort of
> >> temporary interruption in your IPv6 connectivity at boot time you'll
> >> lose IPv6 for the lifetime of the session.
> >
> > to the best of my knowledge only a "positive" result of that query is cached
> (for 30 days) whereas a negative result leads to periodic re-trying.
> > not sure if they try only once at system startup/stack initialization which
> you seem to imply.
> 
> You might want to test that and report your findings. There was
> non-trivial discussion about it when it first came out. I would be happy
> to be proven wrong.

Could you provide a link/pointer to this discussion?  I have some thoughts to possibly share on this based on my understanding of this fix but I would like to read about the concerns first.

Thanks,
  --Jim

More information about the Ipv6hackers mailing list