[Yeti DNS Discuss] ipv6 root name service discussed (gih blog)

Otmar Lendl ol at bofh.priv.at
Mon Dec 12 10:05:33 UTC 2016

On 12.12.2016 10:23, Paul Vixie wrote:
> the state-retention cost's attack vector is the same as for TCP SYN
> flooding, where a packet with a spoofed IP source address can cause the
> victim to store too much information (too many TCP PCB's, in the SYN
> flood case; or too many fragmentation-necessary routing elements, in the
> ICMPv6 PTB case). the management of such overload could lead to crashes,
> or being unable to add new state for valid (non-attack)
> fragmentation-eligible flows, or causing high rates of LRU purges such
> that valid (non-attack) state is removed too soon to have the desired
> effect on the valid (non-attack) flows.

In the TCP case, the incoming ICMPv6 PTBs can be sanity-checked.

In the UDP case, it's not that simple. Check if the source port is still
an assigned port? That's pretty thin, and in the case of a DNS server
trivially true.

A quick search on this issue found surprisingly little. One is this
thread on the ietf ipv6 list:
The referenced rfc5927 seems to focus on forged TPBs on the TCP
implementation, and not on the number of routing elements.

Also https://tools.ietf.org/html/draft-ietf-6man-rfc1981bis-03 in its
Security Considerations is only focusing on degrading a single flow.

Who takes this concern to those authors? IMHO they should discuss this
in rfc1981bis.

-=-  Otmar Lendl  --  ol at bofh.priv.at  --  http://lendl.priv.at/  -=-

More information about the discuss mailing list