New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
NDP exhaustion attacks
I've been writing some code recently to help allocate /64s of v6 to end users as part of a project that I'm cooking up, as part of this I've been worried about the implications of NDP exhaustion attacks. This has been re-affirmed recently with a discussion with an upstream.
Has anyone here suffered an attack of this nature? Even a /64 offers a large enough surface exposure to crap out current gen L3 devices.
Obviously SLAAC is not possible with anything smaller; however is it really needed by end users? Is it better to reserve the /64 but actually allocate a smaller subnet within in it for end users?
Looking to hopefully generate some discussion on this for people with more experience than I on the matter.
Comments
I don't have an answer, but I'm interested in the question
IPv6, security, and IoT is an interesting mix. I'm sure we will read more stories about zombie fridges being the BOTnet of the near future.
It is your customer who gave their personal details to you, has an account with you, having paid money to you.
1) With all that do you really expect an "attack" to routinely come at you from them?
2) What is the problem in detecting incoming NDP flood from a customer port, linking that to the service and user account, then terminating the said service and account within minutes?