[6bone] DoS attacks through 6to4 anycast relay

Alexander Gall gall@switch.ch
Thu, 10 Jul 2003 11:43:42 +0200 

We (SWITCH) are running one of the (still few) 6to4 anycast relays.
Normally, traffic rates are very low (last month's average input was a
little over 200kbps) but there were some spikes of several Mbps in the
past week.  On Tuesday and Wednesday, the traffic was enough to
severely disrupt our 7206VXR that serves as relay and terminates some
6bone tunnels as well.

We are currently testing an IOS image with IPv6 netflow support on
that router, so I was able to see what was going on yesterday evening
(17:00 - 18:30 UTC+2).  The number of active flows climbed to almost
3000 (from a normal 100-300).  This was due to short UDP flows with
random source and destination ports from 2002:3ED3:10C:: to
3FFE:8171:61::11 like these

SrcAddress        InpIf    DstAddress       OutIf    Prot SrcPrt DstPrt Packets 
2002:3ED3:10C::   Tu2      3FFE:8171:61::11 Gi4/0    0x11 0x203D 0x8032 150     
2002:3ED3:10C::   Tu2      3FFE:8171:61::11 Gi4/0    0x11 0x043D 0x9432 180     
2002:3ED3:10C::   Tu2      3FFE:8171:61::11 Gi4/0    0x11 0xAA89 0x8A8E 60      
2002:3ED3:10C::   Tu2      3FFE:8171:61::11 Gi4/0    0x11 0xCE89 0xDE8E 160     
2002:3ED3:10C::   Tu2      3FFE:8171:61::11 Gi4/0    0x11 0xF289 0x328E 160     

Netflow made this easy to spot but the large number of flows is
probably also the main reason why the router performed very badly
during the event :-( 

Traffic peaked at 18Mbps before I blocked packets from 62.211.1.12 to
192.88.99.1 at the upstream router.

The source points to 

inetnum:      62.211.1.0 - 62.211.1.255
netname:      TIN
descr:        Telecom Italia S.p.A
descr:        E@sy.ip ADSL service OSPF Area 1
descr:        Wholesale service for ISP
country:      IT
admin-c:      BS104-RIPE
tech-c:       BS104-RIPE
status:       ASSIGNED PA
remarks:      Please send abuse notification to abuse@telecomitalia.it
notify:       ripe-staff@telecomitalia.it
mnt-by:       TIWS-MNT
changed:      net_ti@telecomitalia.it 20020801
source:       RIPE

but that may well be spoofed.

The destination resloves to an interesting name (with only a AAAA RR):
rootk.it :-)

I take this as a good sign that IPv6 is finally catching on ;-)

--
Alex
SWITCH-NOC