Carlo Wood wrote: > Would the same problem(s) exist if access was possible through IPv6?
Access is currently possible through IPv6! So, yes? Since it is now accessible through IPv6 and the botnet is using IPv6 in the attack it is definitely possible. > Not suggesting that this is a practical solution, I am just wondering > if this kind of DDOS attacks still work with IPv6. These attacks most certainly do operate over IPv6. However as with the adoption rate we are all familiar with most of the botnet is currently IPv4. But there are IPv6 elements in it too, at a so far insignificant volume. > While IPv6 was developed, I shared my experience as developer of the > (undernet) IRC protocol (enhancements) that the only way to stop this > kind of attacks is to allow the one that is attacked to filter the > source of the attacks at the first router that the attacker doesn't > control. DDOS attacks can be so powerful that it will overwhelm any single system. If one of the big DDOS agents wants to take a single system offline then pointing a big DDOS at it will take any single system offline. I say it this way because the commercial mitigations all focus on scaling out to multiple systems, using CDN content distribution networks, geographically distributed systems, and blocking the attack upstream as far as possible. > For example, a machine a 1.1.1.1 is hacked and sends packets > to the router of its ISP, which routes them to backbone A, which routes > them to backbone B, which sends them to the victim at 2.2.2.2. The > victim then sends a special packet to B saying that it wants to no > longer receive anything from 1.1.1.1; since B is not directly connected > to 1.1.1.1, it forwards that packet to A, which forwards it to the > router of the ISP which implements the filter and stops forwarding any > packets from 1.1.1.1 that are meant for 2.2.2.2. This way the internet > (backbones A and B) are not even flooded anymore. Such a thing may be possible among cooperating backbone vendors. And we have had good luck reporting malicious machines to commercial hosting providers. But I am not aware of such a usual path to do this. If you know how to do this I would love to hear more about it! > Is the flood is a problem for the ISP's router - they are motivated > to unplug 1.1.1.1 completely until they fixed their computer (from > the botnet hack). As a result, flooding never has any effect > anymore, so that nobody has the incentive to even try it; which in > turn means that this filtering isn't necessary and therefore won't > take resources. It just has to be there. This sounds great! I have a still growing list of 2.5 million addresses currently but I suspect we will hit 4 millsion before things conclude. How can I access this most wonderful functionality? > I never heard back from the committee, and to this day I don't know if > IPv6 did implement this "filter at the source" possibility, or if they > f*-ed up and missed the opportunity to get rid of ddos attacks when > IPv6 was first rolled out. Wait... Is this something that actually exists? Or is this just a proposal? I am unaware of any such functionality. That doesn't mean anything as I am far from any authority on IPv6. If you know how to do this though I would be very interested in learning how to perform this type of blocking. Bob
