[6bone] DoS attacks through 6to4 anycast relay

Dan Reeder dan@reeder.name
Thu, 10 Jul 2003 21:26:12 +1000 

> I take this as a good sign that IPv6 is finally catching on ;-)

Well yes, but only good as far as using an infrastructure the equivilant of
the late 80s internet combined with all the lusers the new millennium
brings.

I dont understand why some people assumed that using ipv6 would mean no ddos
attacks. I just hope the v6 internet will survive over the coming years
without too many 'global catastrophes'. As it is I doubt it would take too
much effort at all to bring things to a standstill.

Dan


----- Original Message ----- 
From: "Alexander Gall" <gall@switch.ch>
To: <6bone@ISI.EDU>
Sent: Thursday, July 10, 2003 7:43 PM
Subject: [6bone] DoS attacks through 6to4 anycast relay


> We (SWITCH) are running one of the (still few) 6to4 anycast relays.
> Normally, traffic rates are very low (last month's average input was a
> little over 200kbps) but there were some spikes of several Mbps in the
> past week.  On Tuesday and Wednesday, the traffic was enough to
> severely disrupt our 7206VXR that serves as relay and terminates some
> 6bone tunnels as well.
>
> We are currently testing an IOS image with IPv6 netflow support on
> that router, so I was able to see what was going on yesterday evening
> (17:00 - 18:30 UTC+2).  The number of active flows climbed to almost
> 3000 (from a normal 100-300).  This was due to short UDP flows with
> random source and destination ports from 2002:3ED3:10C:: to
> 3FFE:8171:61::11 like these
>
> SrcAddress        InpIf    DstAddress       OutIf    Prot SrcPrt DstPrt
Packets
> 2002:3ED3:10C::   Tu2      3FFE:8171:61::11 Gi4/0    0x11 0x203D 0x8032
150
> 2002:3ED3:10C::   Tu2      3FFE:8171:61::11 Gi4/0    0x11 0x043D 0x9432
180
> 2002:3ED3:10C::   Tu2      3FFE:8171:61::11 Gi4/0    0x11 0xAA89 0x8A8E 60
> 2002:3ED3:10C::   Tu2      3FFE:8171:61::11 Gi4/0    0x11 0xCE89 0xDE8E
160
> 2002:3ED3:10C::   Tu2      3FFE:8171:61::11 Gi4/0    0x11 0xF289 0x328E
160
>
> Netflow made this easy to spot but the large number of flows is
> probably also the main reason why the router performed very badly
> during the event :-(
>
> Traffic peaked at 18Mbps before I blocked packets from 62.211.1.12 to
> 192.88.99.1 at the upstream router.
>
> The source points to
>
> inetnum:      62.211.1.0 - 62.211.1.255
> netname:      TIN
> descr:        Telecom Italia S.p.A
> descr:        E@sy.ip ADSL service OSPF Area 1
> descr:        Wholesale service for ISP
> country:      IT
> admin-c:      BS104-RIPE
> tech-c:       BS104-RIPE
> status:       ASSIGNED PA
> remarks:      Please send abuse notification to abuse@telecomitalia.it
> notify:       ripe-staff@telecomitalia.it
> mnt-by:       TIWS-MNT
> changed:      net_ti@telecomitalia.it 20020801
> source:       RIPE
>
> but that may well be spoofed.
>
> The destination resloves to an interesting name (with only a AAAA RR):
> rootk.it :-)
>
> I take this as a good sign that IPv6 is finally catching on ;-)
>
> --
> Alex
> SWITCH-NOC
>
>
> _______________________________________________
> 6bone mailing list
> 6bone@mailman.isi.edu
> http://mailman.isi.edu/mailman/listinfo/6bone