Would the same problem(s) exist if access was possible through IPv6? Not suggesting that this is a practical solution, I am just wondering if this kind of DDOS attacks still work with IPv6.
While IPv6 was developed, I shared my experience as developer of the (undernet) IRC protocol (enhancements) that the only way to stop this kind of attacks is to allow the one that is attacked to filter the source of the attacks at the first router that the attacker doesn't control. For example, a machine a 1.1.1.1 is hacked and sends packets to the router of its ISP, which routes them to backbone A, which routes them to backbone B, which sends them to the victim at 2.2.2.2. The victim then sends a special packet to B saying that it wants to no longer receive anything from 1.1.1.1; since B is not directly connected to 1.1.1.1, it forwards that packet to A, which forwards it to the router of the ISP which implements the filter and stops forwarding any packets from 1.1.1.1 that are meant for 2.2.2.2. This way the internet (backbones A and B) are not even flooded anymore. Is the flood is a problem for the ISP's router - they are motivated to unplug 1.1.1.1 completely until they fixed their computer (from the botnet hack). As a result, flooding never has any effect anymore, so that nobody has the incentive to even try it; which in turn means that this filtering isn't necessary and therefore won't take resources. It just has to be there. I never heard back from the committee, and to this day I don't know if IPv6 did implement this "filter at the source" possibility, or if they f*-ed up and missed the opportunity to get rid of ddos attacks when IPv6 was first rolled out. Carlo On Mon, 20 Jan 2025 15:54:01 -0700 Bob Proulx <b...@proulx.com> wrote: > Savannah Users, > > GIT's CGIT > ========== > > Since Friday our site has been under the strain of a massive botnet > DDOS attack against our git /cgit/ web UI interface and the svn > /viewvc/ web UI interface.
