[ipv6hackers] (Remote) Neighbor Cache Exhaustion Attacks - Some Discussion

Joseph Jackson jjackson at aninetworks.net
Tue Mar 5 14:06:18 CET 2013

What cisco gear and ios version are you running in your lab?

-----Original Message-----
From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-bounces at lists.si6networks.com] On Behalf Of Enno Rey
Sent: Tuesday, March 05, 2013 5:59 AM
To: ipv6hackers at lists.si6networks.com
Subject: [ipv6hackers] (Remote) Neighbor Cache Exhaustion Attacks - Some Discussion


I just build a small Cisco-based lab to verify if my (potentially flawed, seriously) understanding of remote neighbor cache exhaustion attacks is correct.
It seems that Cisco devices never store more than 512 INCOMPLETE entries in their neighbor cache, regardless of the actual number of NS packets sent out (and missing their respective NAs).

Can anybody confirm similar behavior for other vendors' L3 devices or routers based on BSD/Linux/Solaris/whatever?
I tend to conclude that the actual risk of remote NCE is exaggerated in some circles, but I might have overlooked sth.
Details as for the testing I did can be found here: http://www.insinuator.net/2013/03/ipv6-neighbor-cache-exhaustion-attacks-risk-assessment-mitigation-strategies-part-1/.

Happy about any kind of feedback...



Enno Rey

*****************     TROOPERS13    ******************
** International IT Security Conference & Workshops **
***  Coming Soon / Heidelberg, Germany             ***
*****************  www.troopers.de  ******************

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474 PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

Blog: www.insinuator.net || Conference: www.troopers.de =======================================================
Ipv6hackers mailing list
Ipv6hackers at lists.si6networks.com

More information about the Ipv6hackers mailing list