nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Failure modes: NAT vs SPI

From: Owen DeLong <owen () delong com>
Date: Thu, 10 Feb 2011 12:52:08 -0800

On Feb 10, 2011, at 7:53 AM, Lamar Owen wrote:


On Monday, February 07, 2011 04:33:23 am Owen DeLong wrote:

1.   Scanning even an entire /64 at 1,000 pps will take 18,446,744,073,709,551 seconds
     which is 213,503,982,334 days or 584,542,000 years.

     I would posit that since most networks cannot absorb a 1,000 pps attack even without
     the deleterious effect of incomplete ND on the router, no network has yet had even
     a complete /64 scanned. IPv6 simply hasn't been around that long.


Sounds like a job for a 600 million node botnet.  You don't think this hasn't already crossed botnet ops minds?


The point is that you DOS the network on traffic before you can usefully scan it.

A 600 million node botnet scanning a /64 on a gigabit ethernet can still only successfully
inject ~1,000,000 PPS or less. Even if we assum 1,000,000 pps success rate, you've
only reduced the scan time to 584,542 years.

Even if you're somehow able to get 600 million nodes to successfully inject
1,000,000,000 packets per second (an unachievable number in any
present day technology) you still need 584 years to scan a single /64 subnet.

Owen
Previous By Date Next
Previous By Thread Next

Current thread: