[j-nsp] IPv6 Routing Headers
Kevin Day
toasty at dragondata.com
Mon Apr 23 18:43:35 EDT 2007
There was a recent presentation ( http://www.secdev.org/conf/
IPv6_RH_security-csw07.pdf ) on how IPv6 routing headers can be used
as a DDOS tool - essentially you could take an entire 1280 byte
packet and fill it with routing headers specifying that a packet
should keep bouncing back and forth between two hosts. They were able
to take 4mbps of upload bandwidth from one host, and cause two
routers to consume 150mbps of bandwidth bouncing a packet back and
forth. It gets worse with larger MTUs. :)
Is there anything like "set chassis no-source-route" but for IPv6
that will tell the router to ignore routing headers in IPv6 packets?
I know the firewall can match on packets with "from next-header
routing-header", but it looks like some hosts are generating them to
force their next-hop to be changed. I don't care if packets come in
with them, I just want our routers to ignore them.
Any ideas?
-- Kevin
More information about the juniper-nsp
mailing list