On 1/6/2011 10:28 AM, Valdis.Kletnieks@vt.edu wrote:
And the "ZOMG they can overflow the ARP/ND/whatever table" is a total red herring - you know damned well that if a script kiddie with a 10K node botnet wants to hose down your network, you're going to be looking at a DDoS, and it really doesn't matter whether it's SYN packets, or ND traffic, or forged ICMP echo-reply mobygrams.
My personal concern is not the intentional DDoS, but the idiotic side effects of unintentional idiocy. Nachi was nicer than Blaster to the host, but it unintentionally DDoS'd many networks that couldn't handle the load. How many morons will scan a /64 out of curiosity? Even if they get bored after 1-2 hours, the effects of such a scan on the ND table could be catastrophic in the protocol's default behavior. How many virus writers will utilize a hinted scan technique, which could still end up scanning thousands of v6 addresses per /64 and following consecutive /64s which likely are handled by the same router? It is not the intentional that we should fear, but the unintentional. Jack