attack
Click on the red underlined text to get to the source
... vulnerability of sites to ICMPv6-based attacks. The most common way
of doing this is to establish strict filtering policies in site
...
... Denial-of-Service Attacks ...
...
A major security consideration is preventing attackers from probing
the site to determine the topology and identify hosts ...
... topology and identify hosts that might be
vulnerable to attack. Carefully crafted but, often, malformed
messages can be used to provoke ICMPv6 responses from hosts ...
... ICMPv6 responses from hosts thereby
informing attackers of potential targets for future attacks.
...
... informing attackers of potential targets for future attacks.
However, the very large address space of IPv6 ...
... Redirection Attacks ...
...
A redirection attack could be used by a malicious sender to perform
man-in-the-middle attacks ...
... attack could be used by a malicious sender to perform
man-in-the-middle attacks or divert packets either to a malicious
monitor or to cause DoS by blackholing the packets. These attacks ...
... man-in-the-middle attacks or divert packets either to a malicious
monitor or to cause DoS by blackholing the packets. These attacks
would normally have to be carried out locally on a link using the
...
... Renumbering Attacks ...
... authenticated with
IPsec, so that it is difficult to carry out such attacks in practice,
they should not be allowed through a site boundary firewall. On the
...
... error
message, the packet can be dropped. This provides a partial defense
against some possible attacks on TCP that use spoofed ICMPv6 error
messages, but the checks can also be carried out at the destination ...
... ICMPv6 error
messages, but the checks can also be carried out at the destination.
For further information on these attacks see [ICMP-ATTACKS].
...
... administrators may
wish to configure rules that would drop these packets for insurance
and as a means of monitoring for attacks. Also, the specifications
of ICMPv6 messages intended for use only on the local link ...
... Echo Request messages in firewalls to minimize the
risk of scanning attacks on the protected network. As discussed in
Section 3.2, the risks from port ...
... a small risk that such messages could be used to provide a covert
channel or form part of a DoS attack. Administrators of end sites
should be aware of this and determine whether they wish to allow
...
... a small risk that such messages could be used to provide a covert
channel or form part of a DoS attack. Administrators should be aware
of this and determine whether they wish to allow these messages to be
...
... error messages in all cases and these outgoing messages are allowed
through firewalls, the attacker may be able to identify active
addresses ...
... vulnerability in a well-designed IPv6 network because of the
difficulties of performing scanning attacks (see Section 3.2).
...
... IPv6 nodes on the site will not be possible if these messages are
blocked. It is not thought that there is a significant risk from
scanning attacks on a well-designed IPv6 network (see Section 3.2),
and so connectivity checks should be allowed by default.
...
... IPsec
authentication since they could be readily misused by attackers to
disrupt or divert site communications. Renumbering messages should
generally be confined to sites for this reason.
...