[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NDP DoS attack (was Re: Anybody can participate in the IETF (Was: Why is IPv6 broken?))



On Mon, Jul 11, 2011 at 8:17 PM, Karl Auer <kauer at biplane.com.au> wrote:
> RFC3756 IPv6 Neighbor Discovery (ND) Trust Models and Threats
>
> ? In this attack, the attacking node begins fabricating addresses with
> ? the subnet prefix and continuously sending packets to them. ?The last
> ? hop router is obligated to resolve these addresses by sending
> ? neighbor solicitation packets. ?A legitimate host attempting to enter
> ? the network may not be able to obtain Neighbor Discovery service from
> ? the last hop router as it will be already busy with sending other
> ? solicitations.

Hi Karl,

My off-the-cuff naive solution to this problem would be to discard the
oldest incomplete solicitation to fit the new one and, upon receiving
an apparently unsolicited response to a discarded solicitation,
restart the process flagging that particular query non-discardable.

That would be an implementation change, not a protocol change.

I would expect to occasionally lose a packet due to the discard while
the router was under attack with the accordingly minimal impact. I
would also expect to see a multicast flood on the LAN of about the
same data rate as the inbound attack packets.

Where does this naive approach break down?


On Fri, Jul 15, 2011 at 12:13 AM, Fernando Gont <fernando at gont.com.ar> wrote:
> On 07/15/2011 12:24 AM, Jimmy Hess wrote:
>> A similarly hazardous situation exists with IPv4,  and it is basically
>> unheard of  for IPv4's Layer 2/ARP security weaknesses to be exploited
>> to create a DoS condition, even though they can be (very easily),
>
> IMO, the situation is different, in that the typical IPv4 subnet size
> eliminate some of the attack vectors.

Hi Fernando,

Not at a practical level. The reason it's unheard of for IPv4 is that
if you're a hacker with an ability to generate arbitrary packets on a
LAN, DOSing the adjacent router by overwhelming its ARP cache is one
of the least interesting things you can do... and one of the easiest
to get busted at.

It isn't necessary (or possible) to solve every conceivable *local*
DOS attack. And frankly remote saturation-bomb attacks are out of
bounds too. The concern Karl presented was that it was possible to
remotely disable an IPv6 LAN with tailored traffic much less than that
network's inbound capacity. Solve that issue with IPv6 ND and we're
done.

Regards,
Bill Herrin

-- 
William D. Herrin ................ herrin at dirtside.com? bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004