[e2e] 100% NAT - a DoS proof internet
Jon Crowcroft
Jon.Crowcroft at cl.cam.ac.uk
Tue Feb 14 01:34:02 PST 2006
exactly.
linear sequential address space scans are old hat -
but I wasnt proposing an obscurity thing - as per my messages, i was
propsing default OFF from/to everywhere and only ON on a host
pair/time basis.
IPv6 is orthogonal
In missive <43F0C528.70607 at cs.columbia.edu>, "Angelos D. Keromytis" typed:
>>Jeroen Massar wrote:
>>>
>>> If you want to protect against address scans then move to IPv6 :)
>>> (though one infected box and they have the local subnet)
>>
>>Definitely true on the latter, as we point out on a recent paper on
>>USENIX ;login: with Steve Bellovin and Bill Cheswick:
>>
>>http://www1.cs.columbia.edu/~angelos/Papers/2006/ipv6worm.pdf
>>
>>Furthermore, the worm can do a scanning of the DNS space and spread
>>almost as fast as an IPv4 address-scanning worm. For example, see our
>>INFOCOM 2005 paper:
>>
>>http://www1.cs.columbia.edu/~angelos/Papers/2005/dns-worm.pdf
>>
>>Cheers,
>>-Angelos
cheers
jon
More information about the end2end-interest
mailing list