= Сообщение: 5274 из 7402 ============================================= IPV6 = От : Janne Johansson 2:221/6 19 Mar 18 18:46:28 Кому : Markus Reschke 19 Mar 18 18:46:28 Тема : OpenBSD and SLAAC FGHI : area://IPV6?msgid=2:221/6+5aafe95c На : area://IPV6?msgid=2:240/1661+5aa9647d = Кодировка сообщения определена как: UTF-8 ================================== ============================================================================== On 2018-03-19 14:53, Markus Reschke : Janne Johansson wrote: > Hello Janne!
> The ND exhaustion attack would be only possible for a directly connected > network, e.g. a LAN. A xfer network for a link between routers isn't > affected because ND should only accept local packets. Anyway, there are > several solutions to limit/mitigate the problem for a LAN router.
In the examples I saw, they just nmap'ed the range of a link network and caused issues on routers when it's ndp/arp cache got filled with tons of entries waiting to see if they could be resolved (which they couldn't since no entity was there) and where you as an attacker could figure out which network to attack just using traceroutes.
In that case, moving to a /120 (ie like a /24 in IPv4 terms) meant there could be at most 256 entries to scan on that interface and it would easily be accomodated in the router neighbor caches while still having lots of room for whatever you need on that link.
--- * Origin: nntp://news.fidonet.fi - Lake Ylo - Finland (2:221/6)
