IPv6 MTU DoS Attack
https://stackoverflow.com//questions/20035716
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Is it possible to create a DoS attack in IPv6 by using ICMP packet too big messages?
So for instance, say you want to deny access to somewhere by somehow spoofing an ICMP packet too big message, and set the size to 68 octets (the minimum for IPv4), to throttle any traffic that a particular node receives. Would this kind of attack be possible?
In RFC 1981 it says
A node MUST NOT reduce its estimate of the Path MTU below the IPv6 minimum link MTU. Note: A node may receive a Packet Too Big message reporting a next-hop MTU that is less than the IPv6 minimum link MTU. In that case, the node is not required to reduce the size of subsequent packets sent on the path to less than the IPv6 minimun link MTU, but rather must include a Fragment header in those packets [IPv6-SPEC].
So this case in RFC 1981 would normally only occur in the case that there's a IPv6-IPv4 translation where an IPv4 node would have an MTU smaller than 1280. If my understanding is correct however, if there's an IPv6-IPv4 tunnel along the path, we can significantly slow down the traffic since the IPv6-IPv4 node would fragment it.
However, this didn't quite make sense to me since IPv6 doesn't allow fragmentation.
Solution
Yes, that's possible. But you'll find that people have thought about it before, so it's not as easy as you might think. You'll generally need to impersonate a router close to the victim, and an ingress filter will prevent you from doing that. There are a few more hurdles.
But you can attack other hosts on your ethernet.
