[6bone] DoS attacks through 6to4 anycast relay
Alexander Gall
gall@switch.ch
10 Jul 2003 19:49:57 +0200
On Thu, 10 Jul 2003 17:20:54 +0200, Pim van Pelt <pim@ipng.nl> said:
> If I announce 2002::/16 however, I attract other peoples
> 2002:<v4prefix>:: traffic, which I would then have to forward back via
> IPv4, possibly using an IP uplink. I cannot filter this traffic, because
> people can not stear which 2002::/16 announcer their traffic will go to
> that easily. I cannot announce a more specific into the IPv6 DFZ,
> allthough I'd REALLY like to announce '2002:213.136.0.0::/35'. I am
> aware of the problems in doing so however.
All networks with global IPv6 connectivity should simply provide a
6to4 router that handles all traffic to 2002::/16 from their
customers. In the best case, 2002::/16 would not need to be in the
global routing table at all.
I don't know how widespread this pratice already is, but at least the
amount of traffic we attract with our own anounncement of 2002::/16 is
just a small fraction of that coming in on the anycast address, i.e. a
few kbps.
> Bottom line: I have not persued this any further. If the community is
> interrested, I can easily be persuaded to proceed with a relay
> deployment from AS12859 (nl.bit).
It is clear that this kind of transit will not work forever. I
believe that it will no longer be necessary by the time when things
start to cost real money.
--
Alex