just seen my first IPv6 network abuse scan, is this the start for more?

Matthias Flittner matthias.flittner at de-cix.net
Fri Sep 3 08:07:40 CDT 2010


> However this scan was from a external host. The only traffic I saw on
> the subnet was normal/valid NA lookups from the router towards an
> increasing IPv6-address (starting with ::1, then ::2 etc). On the
> router side I clearly saw the icmp traffic from the source doing a
> scan on these destination hosts. 
typically this fill the NC with faked entries and exhaust the node's
cache resources. "This interrupts the normal functions of the targeted
IPv6 node."

In other words: The attacker sends a lot of ICMPv6 echo requests to your
/64 subnet. Your router has to resolve this addresses internaly (each NA
is stored in NC of the router). The node's cace resources are exhausted
and no "normal" NA could be stored. I think that was your problem.

Unfortunately is there no standardized way to mitigate this attacks, yet.

However there are many approaches which could help or could be discussed.
(like http://www.freepatentsonline.com/20070130427.pdf or other)

best regards,
-F

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 552 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100903/6c20d859/attachment.bin>


More information about the NANOG mailing list