just seen my first IPv6 network abuse scan, is this the start for more?
matthias.flittner at de-cix.net
Fri Sep 3 13:07:40 UTC 2010
> However this scan was from a external host. The only traffic I saw on
> the subnet was normal/valid NA lookups from the router towards an
> increasing IPv6-address (starting with ::1, then ::2 etc). On the
> router side I clearly saw the icmp traffic from the source doing a
> scan on these destination hosts.
typically this fill the NC with faked entries and exhaust the node's
cache resources. "This interrupts the normal functions of the targeted
In other words: The attacker sends a lot of ICMPv6 echo requests to your
/64 subnet. Your router has to resolve this addresses internaly (each NA
is stored in NC of the router). The node's cace resources are exhausted
and no "normal" NA could be stored. I think that was your problem.
Unfortunately is there no standardized way to mitigate this attacks, yet.
However there are many approaches which could help or could be discussed.
(like http://www.freepatentsonline.com/20070130427.pdf or other)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 552 bytes
Desc: OpenPGP digital signature
More information about the NANOG