Re: [OCCAID] IPv6 DDoS (Boston, MA)

[James <james@towardex.com>]

On Mon, Oct 04, 2004 at 02:58:37PM -0400, Scott J. Clifford wrote:
> Looks like it peaked at 32.7Mbps to Boston. Good thing we have diverse peerings
> and diverse geographic network of core routers which distributed the flood.
> 
> With more & more abuse we see in IPv6 world lately I think there is a need for
> more advanced IPv6 stack that can compete with the abuse levels like in IPv4.
> We need things like unicast reverse path forwarding for IPv6, receive path ACL
> for IPv6 and so on and so forth to preemptively protect our routers before they
> become abused.

Scott,

Works are underway for PacketOS project to improve the KAME IPv6 stack such as:

	o Fast Forwarding path for IPv6 (currently using radix, but will move to
	  real fib later)
	o Receive adjacency for IPv6
	o IPFW2 commit for ipv6, etc
	o Unicast Reverse Path Forwarding (uRPF) for IPv6 in IPFW2 patch.
	o IPv6 radix/patrcia table support for IPFW2
	o Fast-path null-routing / blackhole adjacency for IPv6
	o Exceptions processing services for ICMPv6.

The above work are to be done sometime in November or December (for IPv6 APC).
So we probably want to hold off upgrading occaid routers to packetOS until spring
of 2005 if we want these capabilities, which I think we do.

Thanks,
-J

> 
> My two cents... 
> 
> Scott.
> 
> On Sun, Oct 03, 2004 at 08:16:45PM -0400, James wrote:
> > On Sun, Oct 03, 2004 at 08:01:39PM -0400, James wrote:
> > > We're currently experiencing a fairly moderate IPv6 based DDoS destined to
> > > 3ffe:401d:2004::2 out in Boston (currently 15 to 20Mbps). This is rather first
> > > time we are seeing a sophisticated distributed attack.
> > > 
> > > The destination victim address in question has been null-routed temporarily.
> > > Thanks,
> > 
> > The situation is now back under control. Thanks to 30071:666 community bit, it
> > was fairly easy to get the attack locked down at all borders of the network in
> > just a few minutes.
> > 
> > The victim of the attack has been notified appropriately.
> > 
> > Thanks,
> > -J
> > 
> > -- 
> > James Jun                                            TowardEX Technologies, Inc.
> > Technical Lead                        Network Design, Consulting, IT Outsourcing
> > james@towardex.com                  Boston-based Colocation & Bandwidth Services
> > cell: 1(978)-394-2867           web: http://www.towardex.com , noc: www.twdx.net
> > _______________________________________________
> > Occaid mailing list
> > Occaid@cnacs.occaid.org
> > http://mailman.twdx.net/mailman/listinfo/occaid
> _______________________________________________
> Occaid mailing list
> Occaid@cnacs.occaid.org
> http://mailman.twdx.net/mailman/listinfo/occaid

-- 
James Jun                                            TowardEX Technologies, Inc.
Technical Lead                        Network Design, Consulting, IT Outsourcing
james@towardex.com                  Boston-based Colocation & Bandwidth Services
cell: 1(978)-394-2867           web: http://www.towardex.com , noc: www.twdx.net
_______________________________________________
Occaid mailing list
Occaid@cnacs.occaid.org
http://mailman.twdx.net/mailman/listinfo/occaid