[ipv6hackers] Windows 7/2008 R2 Improved Resilliency to IPv6 Floods
Fernando Gont
fgont at si6networks.com
Mon Apr 1 22:39:09 CEST 2013
On 04/01/2013 02:27 AM, Enno Rey wrote:
> Hi,
>
> On Sun, Mar 31, 2013 at 09:55:17PM -0700, Doug Barton wrote:
>> On 03/31/2013 09:09 PM, Jim Small wrote:
>>> I have been testing some Windows 7 systems using Fernando and Marc's
>>> tools. With a system that's up to date in patches I haven't been able to
>>> crash it. The system is non-responsive during the attack, but when the
>>> attack ends the system usually recovers fairly quickly. Not always -
>>> sometimes it takes a few minutes, but it still doesn't crash.
>>>
>>> I noticed from Sam Bowne that Microsoft released a new patch to improve
>>> Windows 7/2008 R2 IPv6 stacks here:
>>> http://samsclass.info/ipv6/proj/RA_flood2.htm#2
>>>
>>> From reviewing the KB here:
>>> http://support.microsoft.com/kb/2750841
>>> Issue #2 addresses some of the vulnerabilities - If you use many IPv6
>>> address and IPv6 routes, the kernel memory is exhausted, and CPU usage
>>> reaches 100 percent. This update limits the number of advertised prefixes
>>> and routes that each interface can process to 100.
>>
>> You might want to have a closer look at Issue #4 in that KB article, and
>> the surrounding conversation about it. Namely if you have some sort of
>> temporary interruption in your IPv6 connectivity at boot time you'll
>> lose IPv6 for the lifetime of the session.
>
> to the best of my knowledge only a "positive" result of that query is cached (for 30 days) whereas a negative result leads to periodic re-trying.
Not sure what type of "failure" you're referring to. But I recall
finding that, with many implementations (IIRC including FreeBSD), if DAD
fails for the link-local address, that's "game over" for v6 until you
reboot.
Cheers,
--
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
More information about the Ipv6hackers
mailing list