[j-nsp] IPv6 Routing Headers

Kevin Day toasty at dragondata.com
Mon Apr 23 18:43:35 EDT 2007

There was a recent presentation ( http://www.secdev.org/conf/ 
IPv6_RH_security-csw07.pdf ) on how IPv6 routing headers can be used  
as a DDOS tool - essentially you could take an entire 1280 byte  
packet and fill it with routing headers  specifying that a packet  
should keep bouncing back and forth between two hosts. They were able  
to take 4mbps of upload bandwidth from one host, and cause two  
routers to consume 150mbps of bandwidth bouncing a packet back and  
forth. It gets worse with larger MTUs. :)

Is there anything like "set chassis no-source-route" but for IPv6  
that will tell the router to ignore routing headers in IPv6 packets?  
I know the firewall can match on packets with "from next-header  
routing-header", but it looks like some hosts are generating them to  
force their next-hop to be changed. I don't care if packets come in  
with them, I just want our routers to ignore them.

Any ideas?

-- Kevin

More information about the juniper-nsp mailing list