IPv6 prefixes longer then /64: are they possible in DOCSIS networks?

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Tue Nov 29 06:43:04 UTC 2011


On Tue, 29 Nov 2011 00:15:02 EST, Jeff Wheeler said:

> Owen and I have discussed this in great detail off-list.  Nearly every
> time this topic comes up, he posts in public that neighbor table
> exhaustion is a non-issue.  I thought I'd mention that his plan for
> handling neighbor table attacks against his networks is whack-a-mole.
> That's right, wait for customer services to break, then have NOC guys
> attempt to clear tables, filter traffic, or disable services; and
> repeat that if the attacker is determined or going after his network
> rather than one of his downstream customers.

It's worked for us since 1997.  We've had bigger problems with IPv4 worms that
decided to probe in multicast address space for their next target, causing CPU
exhaustion on routers as they try to set up zillions of multicast groups.

Sure, it's a consideration.  But how many sites are *actually* getting hit
with this, compared to all the *other* DDOS stuff that's going on?  I'm willing
to bet a large pizza with everything but anchovies that out in the *real*
world, 50-75 times as many (if not more) sites are getting hit with IPv4
DDoS attacks that they weren't prepared for than are seeing this one
particular neighbor table exhaustion attack.

Any of the guys with actual DDoS numbers want to weigh in?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20111129/b39ce0ec/attachment.sig>


More information about the NANOG mailing list