nanog mailing list archives
Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks?
From: Valdis.Kletnieks () vt edu
Date: Tue, 29 Nov 2011 01:43:04 -0500
On Tue, 29 Nov 2011 00:15:02 EST, Jeff Wheeler said:
Owen and I have discussed this in great detail off-list. Nearly every time this topic comes up, he posts in public that neighbor table exhaustion is a non-issue. I thought I'd mention that his plan for handling neighbor table attacks against his networks is whack-a-mole. That's right, wait for customer services to break, then have NOC guys attempt to clear tables, filter traffic, or disable services; and repeat that if the attacker is determined or going after his network rather than one of his downstream customers.
It's worked for us since 1997. We've had bigger problems with IPv4 worms that decided to probe in multicast address space for their next target, causing CPU exhaustion on routers as they try to set up zillions of multicast groups. Sure, it's a consideration. But how many sites are *actually* getting hit with this, compared to all the *other* DDOS stuff that's going on? I'm willing to bet a large pizza with everything but anchovies that out in the *real* world, 50-75 times as many (if not more) sites are getting hit with IPv4 DDoS attacks that they weren't prepared for than are seeing this one particular neighbor table exhaustion attack. Any of the guys with actual DDoS numbers want to weigh in?
Attachment:
_bin
Description:
Current thread:
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks?, (continued)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jimmy Hess (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Leo Bicknell (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Owen DeLong (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Dmitry Cherkasov (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Brzozowski, John (Nov 30)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Ray Soucy (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Leo Bicknell (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Ray Soucy (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Owen DeLong (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jeff Wheeler (Nov 28)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Valdis . Kletnieks (Nov 28)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jonathan Lassoff (Nov 28)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Dmitry Cherkasov (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jeff Wheeler (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Valdis . Kletnieks (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Owen DeLong (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Jeff Wheeler (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Dmitry Cherkasov (Nov 29)
- Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks? Bill Stewart (Nov 30)