[6bone] DoS attacks through 6to4 anycast relay
Dan Reeder
dan@reeder.name
Thu, 10 Jul 2003 21:26:12 +1000
> I take this as a good sign that IPv6 is finally catching on ;-)
Well yes, but only good as far as using an infrastructure the equivilant of
the late 80s internet combined with all the lusers the new millennium
brings.
I dont understand why some people assumed that using ipv6 would mean no ddos
attacks. I just hope the v6 internet will survive over the coming years
without too many 'global catastrophes'. As it is I doubt it would take too
much effort at all to bring things to a standstill.
Dan
----- Original Message -----
From: "Alexander Gall" <gall@switch.ch>
To: <6bone@ISI.EDU>
Sent: Thursday, July 10, 2003 7:43 PM
Subject: [6bone] DoS attacks through 6to4 anycast relay
> We (SWITCH) are running one of the (still few) 6to4 anycast relays.
> Normally, traffic rates are very low (last month's average input was a
> little over 200kbps) but there were some spikes of several Mbps in the
> past week. On Tuesday and Wednesday, the traffic was enough to
> severely disrupt our 7206VXR that serves as relay and terminates some
> 6bone tunnels as well.
>
> We are currently testing an IOS image with IPv6 netflow support on
> that router, so I was able to see what was going on yesterday evening
> (17:00 - 18:30 UTC+2). The number of active flows climbed to almost
> 3000 (from a normal 100-300). This was due to short UDP flows with
> random source and destination ports from 2002:3ED3:10C:: to
> 3FFE:8171:61::11 like these
>
> SrcAddress InpIf DstAddress OutIf Prot SrcPrt DstPrt
Packets
> 2002:3ED3:10C:: Tu2 3FFE:8171:61::11 Gi4/0 0x11 0x203D 0x8032
150
> 2002:3ED3:10C:: Tu2 3FFE:8171:61::11 Gi4/0 0x11 0x043D 0x9432
180
> 2002:3ED3:10C:: Tu2 3FFE:8171:61::11 Gi4/0 0x11 0xAA89 0x8A8E 60
> 2002:3ED3:10C:: Tu2 3FFE:8171:61::11 Gi4/0 0x11 0xCE89 0xDE8E
160
> 2002:3ED3:10C:: Tu2 3FFE:8171:61::11 Gi4/0 0x11 0xF289 0x328E
160
>
> Netflow made this easy to spot but the large number of flows is
> probably also the main reason why the router performed very badly
> during the event :-(
>
> Traffic peaked at 18Mbps before I blocked packets from 62.211.1.12 to
> 192.88.99.1 at the upstream router.
>
> The source points to
>
> inetnum: 62.211.1.0 - 62.211.1.255
> netname: TIN
> descr: Telecom Italia S.p.A
> descr: E@sy.ip ADSL service OSPF Area 1
> descr: Wholesale service for ISP
> country: IT
> admin-c: BS104-RIPE
> tech-c: BS104-RIPE
> status: ASSIGNED PA
> remarks: Please send abuse notification to abuse@telecomitalia.it
> notify: ripe-staff@telecomitalia.it
> mnt-by: TIWS-MNT
> changed: net_ti@telecomitalia.it 20020801
> source: RIPE
>
> but that may well be spoofed.
>
> The destination resloves to an interesting name (with only a AAAA RR):
> rootk.it :-)
>
> I take this as a good sign that IPv6 is finally catching on ;-)
>
> --
> Alex
> SWITCH-NOC
>
>
> _______________________________________________
> 6bone mailing list
> 6bone@mailman.isi.edu
> http://mailman.isi.edu/mailman/listinfo/6bone