IPv6 Flaw Could Greatly Amplify DDoS Attacks 258
tygerstripes writes "The Register has a story about the discovery of a flaw in part of the IPv6 specification which has experts scrambling to have the feature removed, or at least disabled by default. From the article: 'The specification, known as the Type 0 Routing Header (RH0), allows computers to tell IPv6 routers to send data by a specific route. Originally envisioned as a way to let mobile users to retain a single IP for their devices... RH0 support allows attackers to amplify denial-of-service attacks on IPv6 infrastructure by a factor of at least 80.' Paul Vixie, president of the Internet Systems Consortium, described the fault bluntly. 'It can be exploited by any greedy Estonian teenager with a $300 Linux machine.'"
Re:NOT COOL. (Score:3, Insightful)
Seriously though, estonia? Raise your hand if you know where that is. The only reason I ever recognize that is because I just finished a European History class where we had to memorize the current map of Europe, I'm sure if you asked me last year (or next year
And why a $300 machine? If it can be done with Linux couldn't a greedy Estonian purchase some really cheap parts and build a $100 machine then install Linux on it? Or do all computers in Estonia cost $300 min?
Comment removed (Score:3, Insightful)
The IETF screwed the pooch on this one (Score:5, Insightful)
However, there are still people in the IETF who don't want to recognize the severity of their mistake. Why do we, as a community of implementors and consumers, continue to trust these guys as a protocol standards body? It is obvious that they don't understand how complexity is the enemy of security. They add features to protocols without any concrete examples of how the feature would be used, simply because they don't ever want to make a decision. Rather than saying "No, this feature is not worth the extra complexity, we are not going to include it", it is always "OK, we will allow this as an optional mode of operation".
In this case, this was done in a particularly egregious fashion, considering the security issues with source routing have been known since at least '93 or so (in IPv4).
Re:Who gives a $%##? (Score:3, Insightful)
Re:Who gives a $%##? (Score:4, Insightful)
Re:How many people use IPv6 (Score:3, Insightful)
Re:Who gives a $%##? (Score:2, Insightful)
The Japanese? (Score:5, Insightful)
What's more, IPv4+NAT (as standard) doesn't give you half the features of IPv6. I've listed them before, I'll list them again here. Sure, not many use them NOW, but most of these are major areas of growth and Internet-aware devices will (sooner or later) have to use IPv6 to get the support they need.
There are probably a whole bunch of other advantages not listed here. Go to your local USAGI dealership and test drive an IPv6 today.
Re:NOT COOL. (Score:3, Insightful)
I know where Estonia is.
I, like a significant percentage of my fellow citizens, do not support Bush, his administration, nor the neo-con obsession with war-as-a-solution-to-everything.
You sound like a bigot and I resent your smug stereotyping of Americans.
Comment removed (Score:4, Insightful)
Re:NOT COOL. (Score:4, Insightful)
You're right. I'm sorry.
Re:NOT COOL. (Score:4, Insightful)
Quick! Find Liechtenstein on a map. How about San Marino? No cheating with Google Maps.
There are a lot of countries and even more cultures within countries. Nobody can be expected to know all of them. While many Americans should be ashamed of not being able to find Iraq on a map, plenty of other countries play a much smaller role in world politics and nobody should blame anyone for not knowing about them.
Re:Better idea (Score:3, Insightful)
Re:The IETF screwed the pooch on this one (Score:5, Insightful)
Re:NOT COOL. (Score:3, Insightful)
Is that why they all but wiped out many of those tribes you just mentioned ?
Well how's that working out for ya ?
BTW, if you can show me a link to a world map showing the locations of all those tribes you mentioned I'd appreciate it - but in the meantime, the subject was COUNTRIES
As for the rest of it, most of the rest of the world learn things about other countries and call it general knowledge. We don't regard our own particular neck of the woods as the be all and end all of everything that's important.
There was a reason Team America always showed the distance from each foreign place to the US ...
Intended or not... (Score:3, Insightful)
Whether or not it was intended, NAT *is* a security mechanism. Obviously not the best or the prettiest, but to say it provides no additional security is just ignorant.
Th "security" of NAT is a side effect of it BREAKING the peer to peer model of the internet.
Side effect or not, it provides additional security no matter how you look at it. From a purist's point of view, it certainly does break the peer to peer model of the internet. But from a practical user's standpoint, it rarely if ever breaks anything, provides additional functionality and security, and is usually brain-dead simple to implement.
Re:Intended or not... (Score:3, Insightful)
But from a practical user's standpoint, it rarely if ever breaks anything, provides additional functionality and security, and is usually brain-dead simple to implement.
Hardly, it breaks peer to peer apps, DCC, AIM file transfers, etc. You have to manually configure it to allow those ports, and only one computer on the inside network can use those services at any time.