On Jan 25, 2011, at 8:58 AM, Patrick Sumby wrote: > On 24/01/2011 22:41, Michael Loftis wrote: >> On Mon, Jan 24, 2011 at 1:53 PM, Ray Soucy<r...@maine.edu> wrote: >> >>> Many cite concerns of potential DoS attacks by doing sweeps of IPv6 >>> networks. I don't think this will be a common or wide-spread problem. >>> The general feeling is that there is simply too much address space >>> for it to be done in any reasonable amount of time, and there is >>> almost nothing to be gained from it. >> >> The problem I see is the opening of a new, simple, DoS/DDoS scenario. >> By repetitively sweeping a targets /64 you can cause EVERYTHING in >> that /64 to stop working by overflowing the ND/ND cache, depending on >> the specific ND cache implementation and how big it is/etc. Routers >> can also act as amplifiers too, DDoSing every host within a multicast >> ND directed solicitation group (and THAT is even assuming a correctly >> functioning switch thats limiting the multicast travel)
I love this term... "repetitively sweeping a targets /64". Seriously? Repetitively sweeping a /64? Let's do the math... 2^64 = 18,446,744,073,709,551,616 IP addresses. Let's assume that few networks would not be DOS'd by a 1,000 PPS storm coming in so that's a reasonable cap on our scan rate. That means sweeping a /64 takes 18,446,744,073,709,551 sec. (rounded down). There are 86,400 seconds per day. 18,446,744,073,709,551 / 86,400 = 213,503,982,334 days. Rounding a year down to 365 days, that's 584,942,417 years to sweep the /64 once. If we increase our scan rate to 1,000,000 packets per second, it still takes us 584,942 years to sweep a /64. I don't know about you, but I do not expect to live long enough to sweep a /64, let alone do so repetitively. Owen
