NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))

Karl Auer kauer at biplane.com.au
Tue Jul 12 00:17:30 UTC 2011


On Mon, 2011-07-11 at 18:48 -0500, Jimmy Hess wrote:
> It would be useful to at least have the risk properly described, in
> terms of what kind of DoS condition could arise on specific implementations.

RFC3756 IPv6 Neighbor Discovery (ND) Trust Models and Threats

Section 4.3.2

   In this attack, the attacking node begins fabricating addresses with
   the subnet prefix and continuously sending packets to them.  The last
   hop router is obligated to resolve these addresses by sending
   neighbor solicitation packets.  A legitimate host attempting to enter
   the network may not be able to obtain Neighbor Discovery service from
   the last hop router as it will be already busy with sending other
   solicitations.  This DoS attack is different from the others in that
   the attacker may be off-link.  The resource being attacked in this
   case is the conceptual neighbor cache, which will be filled with
   attempts to resolve IPv6 addresses having a valid prefix but invalid
   suffix.  This is a DoS attack.

The above RFC and RFC3971 (SEND) both have good descriptions of a BUNCH
of possible attacks. RFC3971 is a bit dismissive IMHO of this particular
attack.

I realise this is not "specific implementations" as you requested, but
it seems to me that the problem is generic enough not to require that.

The attack is made possible by the design of the protocol, not any
failing of specific implementations. Specific implementations need to
describe what they've done about it (mitigation or prevention).

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)                   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/                   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20110712/3fe5f2c9/attachment.sig>


More information about the NANOG mailing list