Failure modes: NAT vs SPI

• Previous message (by thread): Failure modes: NAT vs SPI
• Next message (by thread): Failure modes: NAT vs SPI
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Feb 10, 2011, at 7:53 AM, Lamar Owen wrote:

> On Monday, February 07, 2011 04:33:23 am Owen DeLong wrote:
>> 1.	Scanning even an entire /64 at 1,000 pps will take 18,446,744,073,709,551 seconds
>> 	which is 213,503,982,334 days or 584,542,000 years.
>> 
>> 	I would posit that since most networks cannot absorb a 1,000 pps attack even without
>> 	the deleterious effect of incomplete ND on the router, no network has yet had even
>> 	a complete /64 scanned. IPv6 simply hasn't been around that long.
> 
> Sounds like a job for a 600 million node botnet.  You don't think this hasn't already crossed botnet ops minds?

The point is that you DOS the network on traffic before you can usefully scan it.

A 600 million node botnet scanning a /64 on a gigabit ethernet can still only successfully
inject ~1,000,000 PPS or less. Even if we assum 1,000,000 pps success rate, you've
only reduced the scan time to 584,542 years.

Even if you're somehow able to get 600 million nodes to successfully inject
1,000,000,000 packets per second (an unachievable number in any
present day technology) you still need 584 years to scan a single /64 subnet.

Owen

• Previous message (by thread): Failure modes: NAT vs SPI
• Next message (by thread): Failure modes: NAT vs SPI
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]