Slashdot Log In
IPv6 Flaw Could Greatly Amplify DDoS Attacks
Posted by
Zonk
on Fri May 11, 2007 06:34 PM
from the please-avoid-the-obvious-holes dept.
from the please-avoid-the-obvious-holes dept.
tygerstripes writes "The Register has a story about the discovery of a flaw in part of the IPv6 specification which has experts scrambling to have the feature removed, or at least disabled by default. From the article: 'The specification, known as the Type 0 Routing Header (RH0), allows computers to tell IPv6 routers to send data by a specific route. Originally envisioned as a way to let mobile users to retain a single IP for their devices... RH0 support allows attackers to amplify denial-of-service attacks on IPv6 infrastructure by a factor of at least 80.' Paul Vixie, president of the Internet Systems Consortium, described the fault bluntly. 'It can be exploited by any greedy Estonian teenager with a $300 Linux machine.'"
This discussion has been archived.
No new comments can be posted.
IPv6 Flaw Could Greatly Amplify DDoS Attacks
|
Log In/Create an Account
| Top
| 258 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Greedy Estonian teenage overlords! (Score:2, Funny)
Re:Greedy Estonian teenage overlords! (Score:4, Funny)
(Last Journal: Saturday November 10, @04:40AM)
They make awesome glaag.
Don't confuse Estonians with Russians (Score:5, Informative)
(http://benambra.org/)
In any case, Estonia writes with Latin characters and the language is more like Finnish than anything else, apparently.
Re:Don't confuse Estonians with Russians (Score:4, Funny)
(http://quadrocket.co.uk/)
Now that's the way to occupy a country!
s anybody surprised that Paul Vixie (Score:5, Funny)
Re:s anybody surprised that Paul Vixie (Score:5, Interesting)
(http://www.lingula.org.uk/)
This was a time when there were huge numbers of different network address formats which had to have mail routed to/from/between. That's why it's all about rewriting addresses and not about processing the message. It is also why it's so complex as it had to be flexible enough to handle IP, Usenet (i.e. bang paths), reversed domain-type addressing so you needed a complex language to deal with it.)
Remember also, this was an age before the virus and when the most malicious thing was the war dialler or phone phreaker with his trusty 300baud accoustic coupler modem. Built in security and thinking about buffer overflows weren't really even in the background of the programmers minds back then.
Times have changed, hence Sendmail just isn't an appropriate tool anymore, just like the stage coach. It doesn't mean that it's bad software.
$300 Linux box... as if (Score:5, Funny)
Estonia? (Score:5, Funny)
NOT COOL. (Score:5, Funny)
(http://gamekid.notlong.com/)
That roughly translates to "It's so easy, an Estonian can do it".
Someone is gonna be buying them roast duck (with the mango salsa) soon.
Re:NOT COOL. (Score:5, Informative)
(http://www.exposedworld.net/)
Re:NOT COOL. (Score:5, Funny)
Re:NOT COOL. (Score:5, Funny)
Re:NOT COOL. (Score:4, Insightful)
You're right. I'm sorry.
Re:NOT COOL. (Score:4, Insightful)
(http://eof.sourceforge.net/)
Quick! Find Liechtenstein on a map. How about San Marino? No cheating with Google Maps.
There are a lot of countries and even more cultures within countries. Nobody can be expected to know all of them. While many Americans should be ashamed of not being able to find Iraq on a map, plenty of other countries play a much smaller role in world politics and nobody should blame anyone for not knowing about them.
Re:NOT COOL. (Score:5, Informative)
He may have chosen Estonia in particular because there's recently (in the last week) been DDoS attacks targeting Estonia's government websites.
Those attacks were (still are, actually) carried out not by local "greedy teenagers", but top-level Russian authorities. The large-scale attacks were traced to IP addresses in Moscow owned by the Russian presidential administration and government.
Better idea (Score:5, Interesting)
Re:Better idea (Score:5, Informative)
(Last Journal: Saturday May 19, @06:02PM)
Imagine a network of 9 computers in a mesh topology. Now imagine instead of taking at most 4 hops to get to your destination you can specify it to go through every single computer on the network for a maximum of 9-10 hops. Because all of this traffic passes through each computer in the network you have amplified the power of your DoS attack by a factor of 2-3x because you are increasing the network congestion as well as potential collisions and everything else.
Now imagine the internet. I can believe it would amplify the power of DoS attacks by 80x or more if this were permitted. The fact remains is that a good network administrator will let the routers know the best routes. Why specify the route with RH0 when the routers are already built to know the best possible route (through protocols like OSPF and BGP you can even have the routers let each other know about potential problems in the network).
Re:Better idea (Score:5, Informative)
(Last Journal: Wednesday October 16 2002, @01:31AM)
A better idea. (Score:5, Funny)
(http://www.drivesentinel.co.uk/)
That already works for other problems, right?
Insensitive Clod (Score:5, Funny)
Who gives a $%##? (Score:3, Insightful)
(Last Journal: Tuesday May 29, @06:37PM)
Because IPv6 will never be implemented widely anyway.
Why will it not you say?
Because too many people are happy with the current IPv4 + NAT insanity that is in place now. Nevermind the fact that the insanely ridiculous kludge that is NAT and all of the insanely ridiculous mini-kludges (DynDNS, UDP Connection "Warming", etc.) that currently keep the internet glued together and working (sort of) like it is supposed to work probably cost as much or more time and energy that a multi-year dual-stack IPv4 to IPv6 transition would.
Ok, I'm done ranting.
Have a great weekend everyone!
An article that discusses the actual vulnerability (Score:5, Informative)
Re:Who gives a $%##? (Score:4, Insightful)
(http://kestas.kuliukas.com/)
Re:Who gives a $%##? (Score:4, Insightful)
(Last Journal: Tuesday May 29, @06:37PM)
Th "security" of NAT is a side effect of it BREAKING the peer to peer model of the internet.
Re:Who gives a $%##? (Score:5, Interesting)
Check our DNA. We are, essentially, insanely ridiculous kludges. Nothing but organically accreted fixes to a long series of problems. Why should anyone be surprised that our technology mirrors this fundamental aspect of our selves?
The Japanese? (Score:5, Insightful)
(http://slashdot.org/ | Last Journal: Saturday November 03, @04:58AM)
What's more, IPv4+NAT (as standard) doesn't give you half the features of IPv6. I've listed them before, I'll list them again here. Sure, not many use them NOW, but most of these are major areas of growth and Internet-aware devices will (sooner or later) have to use IPv6 to get the support they need.
There are probably a whole bunch of other advantages not listed here. Go to your local USAGI dealership and test drive an IPv6 today.
The IETF screwed the pooch on this one (Score:5, Insightful)
However, there are still people in the IETF who don't want to recognize the severity of their mistake. Why do we, as a community of implementors and consumers, continue to trust these guys as a protocol standards body? It is obvious that they don't understand how complexity is the enemy of security. They add features to protocols without any concrete examples of how the feature would be used, simply because they don't ever want to make a decision. Rather than saying "No, this feature is not worth the extra complexity, we are not going to include it", it is always "OK, we will allow this as an optional mode of operation".
In this case, this was done in a particularly egregious fashion, considering the security issues with source routing have been known since at least '93 or so (in IPv4).
Re:The IETF screwed the pooch on this one (Score:5, Insightful)
What's with all the anti-IPv6 stuff lately? (Score:2)
Re:What's with all the anti-IPv6 stuff lately? (Score:4, Informative)
(http://www.justjournal.com/)
Nothing New (Score:5, Interesting)
(http://www.maxrat.net/)
Security Through Poorly Understood New Features (Score:2)
(http://slashdot.org/journal.pl?op=list&uid=911325 | Last Journal: Monday October 29, @02:52PM)
Act NOW! The world is falling! (Score:2)
DoD Buying Cycle (Score:1)
Early IPv6 drafts had limited the Type 0 route len (Score:5, Informative)
The earlier drafts of the IPv6 RFCs had limited the Type 0 routing addresses to 23 per extension header. The current limit is theoretically 128, though maximum packet size through any one link will tend to get in the way.
The number of times an IPv6 packet may ping-pong is limited by the Hop Limit field, which is an 8 but unsigned integer (i.e. 255 times).
While it is true that a very permissive router or host may process a packet with more than one Type 0 routing header, RFC 2460 strongly recommends that a router or host only process one such extension header.
One product that has been designed to locate implementation problems with IPv6 stacks (it can't do anything about design flaws!) is the Maxwell product from http://www.iwl.com/ [iwl.com]. Truth in advertising requires that I point out I helped create some of the test cases for that product (however, I am not an employee of IWL or own any equity or options on equity in the company).
Aren't the old excuses still good anymore? (Score:2)
IPv6 seems to be designed pretty poorly. (Score:1)
Make the default "Off" (Score:2)
(Last Journal: Tuesday September 12 2006, @03:31PM)
Because it seems to me that this could be useful, so it makes sense to still forward these sorts of packets along.. but the default would be to do it optimally rather than following the explicit route.
One possible and very practical use for this could be to send data across networks that don't happen share the same address space (ignoring the fact that IPv6 gives you so many addresses that you probably wouldn't ever _need_ to use different address spaces, it's still potentially possible that somone might _want_ to do this). So you use source routing to go first to the system that acts as the gateway between them and then the next IP in the list is on the other network.
Already fixed in OpenBSD (Score:2, Informative)
The patch was released on April 27 [openbsd.org]. Now that's quick!
The OpenBSD project does a great job with security [openbsd.org]; other development teams could learn a lot from them.
typical design stupidity (Score:2)
It's no wonder people are reluctant to adopt IPv6.
Why Estonians? (Score:2, Informative)
(http://www.reinmets.ee/)
I live in Estonia, and no, i don't speak Russian language.
Now, maybe a big part of the world doesn't even know where Estonia is, but We are quite advanced IT country, here's some examples:
* We got National ID cards - and loads of services that use it as identification
* We just launched a cellphone based ID service, that basically replaces the need for a smart card reader and allows identification from anywhere in Estonia.
* We have E-Government
* Our internet banks are surely in the top 3 world wide from feature perspective
* And last, but not least, there's Skype
Arrrrrgh! (Score:1)
Original CanSecWest presentation (Score:4, Informative)
(http://elgoog.rb-hosting.de/)
feature (Score:1)
Re:Really, why do people say such stupid things? (Score:2)
Re:Just what we need! (Score:3, Funny)
(http://batteriesnimh.com/)
Re:Really, why do people say such stupid things? (Score:2)
(http://slashdot.org/ | Last Journal: Tuesday November 05 2002, @09:18AM)
Re:Really, why do people say such stupid things? (Score:2)
Re:How many people use IPv6 (Score:3, Insightful)
(http://www.brokersys.com/~jguthrie/)
Re:Sorry you lose (Score:1)
Re:Just what we need! (Score:1)
(http://blacklint.com/)
Re:Nice commentary (Score:2)
Being Estonian is not a slur, sir, it's a compliment!
It all depends on your point of view, racist
Re:Nice commentary (Score:1)
Secondly, it's well attested that Eastern Europe is a major center of online criminal activity. As someone who has been in the security field for the past four years, I can say that there are days when I wish I could put a firewall around all of it, to keep things *in*
The assumption that it would be a teenager is actually the part least likely to be accurate. It could be - they call them script kiddies for a reason - OTOH, a lot of adults are involved in computer crime, and they are involved in it for profit.
While his remark was flippant, it was not nearly as inaccurate as you might think.