DDoS Challenges in IPv6 environment
1 like318 views
This document discusses challenges and solutions related to detecting and mitigating DDoS attacks in IPv6 environments. It provides an overview of common attack vectors in IPv6, such as protocol floods, fragmentation attacks, and spoofing. It also addresses issues with using existing monitoring tools in IPv6 networks and proposes protocols like Netflow v9, IPFIX, and sFlow v5 for exporting IPv6 traffic metadata. Specific challenges involving BGP, blackholing, traffic engineering and fastnetmon tool support for IPv6 are examined along with potential solutions.
DDoS Challenges in IPv6 environment
- 2. 2 I’m Pavel Odintsov, the author of open source DDoS detection tool, FastNetMon: https://github.com/pavel-odintsov/fastnetmon Ways to contact me: ● linkedin.com/in/podintsov ● github.com/pavel-odintsov ● twitter.com/odintsov_pavel ● IRC, FreeNode, pavel_odintsov ● pavel.odintsov@gmail.com
- 5. 5 ● Protocol flood (UDP, ICMP, GRE, TCP). Just keep the protocol field static. ● Fragmentation attack (just set fragment flags: DF, MF and Fragment Offset). ● Spoofing attack type (just randomize source IP) ● Options flood (just add more options) ● Empty packet flood (set length to 0) ● TTL expiration attack (very low or even zero TTL) ● ToS flood, just set random values here
- 6. 6 Image from https://www.lifewire.com/tcp-headers-and-udp-headers-explained-817970
- 7. 7 ● Source port flood (including zero port) ● Destination port flood (including zero port) ● TCP Sequence flood ● TCP Ack field flood ● TCP Flag flood (TCP, ACK) ● TCP Window size flood (including 0)
- 8. 8 ● TCP flag flood (i.e. SYN, ACK flood) ● UDP flood ● GRE flood ● UDP amplification (DNS, NTP, SSDP, SNMP) ● Fragmentation attack ● Spoofed source attacks
- 12. ⬥ Telemetry about IPv6 ⬥ BGP for IPv6 ⬥ Blackhole RFC 7999 for IPv6 ⬥ Traffic engineering for IPv6 12
- 13. ⬥ Netflow v5, no fields for IPv6 addresses ⬥ No ways to send Netflow, IPFIX, sFlow v5 to IPv6 only collector 13
- 14. ⬥ Netflow v9, IPFIX, sFlow v5 14
- 15. ⬥ MPReach instead of old good NLRI for IPv4 ⬥ BGP Daemon implementation 15
- 16. 16
- 17. ⬥ Only /128 support ⬥ No support ⬥ Non RFC community number, please use RFC7999 17
- 18. ⬥ Diversion can be implemented on customer basis ⬥ Ability to localise customer for RTBH purposes ⬥ Anycast is affordable 18
- 19. 19
- 20. 20 ⬥ Complete IPv6 support for mirror, Netflow and IPFIX modes ⬥ Added logic to ban / unban IPv6 hosts manually via API and fastnetmon_api_client ⬥ Added logic to announce / withdraw announces about IPv6 hosts
- 21. 21
- 22. 22 ⬥ wget https://raw.githubusercontent.com/pavel-odints ov/fastnetmon/master/src/fastnetmon_install.pl -Ofastnetmon_install.pl ⬥ sudo perl fastnetmon_install.pl
- 23. ANY QUESTIONS? You can find me at: ⬥ @odintsov_pavel ⬥ pavel.odintsov@gmail.com ⬥ linkedin.com/in/podintsov 23