Re: [Hampshire] DDoS survival strategies

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMAndy Smith at <-
MDamian L Brasher at ->

Reply to this message
Author: Ian Grody
Date:  
To: Hampshire LUG Discussion List
Subject: Re: [Hampshire] DDoS survival strategies

On Monday 05 September 2011 17:51:47 Andy Smith wrote:
> Hi Benjie,
>
> On Mon, Sep 05, 2011 at 05:24:51PM +0100, Benjie Gillam wrote:
> > One thing to mention with IPv6 is that the namespace is /FAR/ larger than
> > IPv4 (10^29 times as big, roughly), so internet wide scans will no
> > longer be feasible based solely on incrementing IP addresses (they could
> > filter it down by only the assigned IP addresses though, but that's
> > still a pretty large namespace). [At 1 American trillion (10^12)
> > addresses per second it would take ~10^19 years to scan the entire
> > namespace, vs just 72 minutes for IPv4.]

>
> You still have to publish addresses of hosts in the DNS and places
> like that. I don't believe scanning will die out with IPv6, it will
> just need to be more focused.

Indeed it will, although, there are already techniques using Neighbour
Discovery and other tricks of the trade to fine active IP6 hosts within a
scope.

>
> Cheers,
> Andy


Once an attacker has an IP, or even a route in which to send traffic in hopes it
will be sent to your network (If you get a /27 from your ISP on IP4, and only
use the first 4 IP's, even sending traffic to any of the other unused ones will
still be sent down your line.) - Same applies in IPv6.

Bombard the unused IP's with traffic still floods your connection, even if
something is responding to it or not. Most routers will host-unreach in this
situation, causing upload saturation too.

IPv6 does make it easier to "hide" hosts, but this is merely security through
obscurity. You get a /64 of IPv6, you have several million places to hide a
server and any random person the other end of the globe will spend a long time
looking for it. Same can be said on IP4, just by not using standard ports on
things that don't essentially need them.

dDoS will always be a problem - only way that it could be thwarted is smart
designs of border routers etc. to know the bandwidth of set routes as to
reduce traffic flow before it reaches the destination. This of course introduces
additional problems in cases of "spike" traffic flows etc.

-----------------------------------------


This message was posted to the following mailing lists:
Hampshire LUG
Mailing List Info | Nearby Messages		<-Re: [Hampshire] DDoS survival strategiesRe: [Hampshire] DDoS survival strategies->
Hampshire LUG Mailing List Archive administrated by WebmasterLurker (version 2.3)