J
John Ladasky
Hmmm... I've been an advocate of IPv6, but... now you've got me thinking of what Iran's new cadre of hackers might do with it! :^)
Hmmm... I've been an advocate of IPv6, but... now you've got me thinking of what Iran's new cadre of hackers might do with it! :^)
R
Roy Smith
John Ladasky said:
You (like many people) are confusing universal addressability with
universal connectivity. The converse of that is people confusing NAT
with security.
Of course not every IPv6 endpoint will be able to talk to every other
IPv6 endpoint, even if the both have globally unique addresses. But,
the access controls will be implemented in firewalls with appropriately
coded security policies. Not as an accident of being behind a NAT box.
C
Chris Angelico
To be more specific: The control of who can talk to whom is in the
hands of the admins of the two endpoints and the nodes in between,
rather than being arbitrarily in the hands of the technology. So I
would be able to talk to the file server across the street, but only
IF its admin lets me.
ChrisA
J
John Ladasky
A perfectly fair point, Roy. It's just when you started suggesting connecting to your neighbor's file server -- well, that's not something that many people would ordinarily do. So, my mind leaped to the possibility of uninvited connections.
Related question: would denial-of-service attacks be more pernicious without a NAT?
Related question: would denial-of-service attacks be more pernicious without a NAT?
M
Mark Lawrence
By such means as leaving the top level admin password set to the factory
default?
R
Roy Smith
John Ladasky said:
Not really. If I know the external IP address of your NAT box, I can
throw as much traffic at it as your internet connection will deliver.
Assuming you have sufficient bandwidth, eventually I'll melt down your
router. This is equally true with NAT or without it.
C
Chris Angelico
Not sure what you mean. If we assume that network topology doesn't
change, then what we have is a single uplink (say, an ADSL connection,
given that most home users don't have luxuries) going to a router
(let's be generous here and say that's a Linux box with two NICs, and
you have a smart admin in charge of it), behind which is a set of
switches and computers making up a LAN of peers. On IPv4, the LAN
would operate on one of the RFC 1918 address blocks - say, 192.168.0.x
- and all external communication would be through one single IP
address - 203.0.113.47 will do for the purposes of discussion.
As far as other hosts on the internet are concerned, that entire
network is one single host, with address 203.0.113.47. It's unaware of
the three computers 192.168.0.4, .0.87, and .0.92; they merge into
one. This means they share the 65536 ports, they share entries on
blacklists, etc, etc.
With IPv6, that ADSL connection would come with a /64 block - say,
2001:db8:142:857::/64. Within that block, each computer would be
assigned a single address - perhaps 2001:db8:142:857::4,
2001:db8:142:857::87, and 2001:db8:142:857::92, or perhaps they'd be
assigned them by their MAC addresses eg
2001:db8:142:857:200:5eff:fe00:531a, which can be done automatically.
Now all your computers (including the router) are individually
addressable; they can be identified separately, or treated as a group
(the /64 representing the whole group). Their ports, blacklist
entries, etc, are all unique. This means you can run three servers on
port 80, etc.
The question now is: What sort of DOS attack are you fearing? If it's
a simple matter of saturating the connection, it makes absolutely no
difference. As Roy said, that's just a question of overloading. If I
command more bandwidth than you do, I can saturate you. Easy. (Very
easy if I have a botnet, for instance.) Harder to judge are the
amplifying attacks; a half-open-connection attack, for instance,
attacks a TCP server's RAM allocation. It's possible that some attacks
will be easier or harder with NAT than without, but you'd have to
evaluate a specific attack technique.
ChrisA
S
Steven D'Aprano
Or, more likely, *not* implemented in firewalls with *inappropriately*
coded security policies.
C
Carlos Nepomuceno
----------------------------------------
I don't think so.
IP blocking still a very common mitigation approach to DDoS, but it may cause denial of service to legitimate clients who share the same blocked public IP address used by the malicious clients. So, NAPT will still benefitDDoS attackers, at least temporarily (until the IP is unblocked).
I don't think so.
IP blocking still a very common mitigation approach to DDoS, but it may cause denial of service to legitimate clients who share the same blocked public IP address used by the malicious clients. So, NAPT will still benefitDDoS attackers, at least temporarily (until the IP is unblocked).
S
Steven D'Aprano
Or when (not if) you find a vulnerability in the particular firewall.
Make no mistake: the most secure entry point is the one that isn't there.
C
Chris Angelico
I expect that IP blocks will be upgraded to /64 block blocks, if that
starts being a problem. But it often won't, and specific IP address
blocks will still be the norm.
ChrisA
C
Chris Angelico
Packets have to get somewhere. If they come into this computer, it has
to deliberately forward them to that computer or they won't get there.
Same thing. All it takes is
# ip6tables -p FORWARD DROP
and you have a "secure unless I specifically permit it" router.
Obviously an attacker can target the router itself (which is exactly
the same as current situation), but can't attack anything beyond it
without an explicit forwarding rule (which is also exactly the same).
ChrisA
C
Carlos Nepomuceno
----------------------------------------
Blocking a whole network (/65) is totally undesirable and may even become illegal.
Currently it may not only happen at the target of the DDoS attack, but bespread all over the internet where block lists are enforced.
I don't expect that to happen and if it happens I'm surely in favor of protection against this type of 'solution' because it will block not only malicious clients but potentially many other legitimate clients.
Blocking a whole network (/65) is totally undesirable and may even become illegal.
Currently it may not only happen at the target of the DDoS attack, but bespread all over the internet where block lists are enforced.
I don't expect that to happen and if it happens I'm surely in favor of protection against this type of 'solution' because it will block not only malicious clients but potentially many other legitimate clients.
C
Chris Angelico
Blocking a /64 is exactly the same as blocking a /32 with NAT behind
it. And how could it be illegal? I provide service to those I choose
to provide to.
Banning a wide netblock is of course going to lock out legit clients.
But IP rotation means that can happen anyway. You block a single IPv4
address that right now represents an abusive user; that user
disconnects and reconnects, gets a new IP, and someone else gets the
other one. Can happen all too easily. That's why IP-banning is at best
a temporary solution anyway.
ChrisA
D
DRJ Reddy
Hello all,
Was busy with work. Finally finished the job of registering the domain name.
Will be live soon. The url is http://pythonmagazine.org. Hope we will be live soon.
Regards,
DRJ.
Was busy with work. Finally finished the job of registering the domain name.
Will be live soon. The url is http://pythonmagazine.org. Hope we will be live soon.
Regards,
DRJ.
C
Carlos Nepomuceno
----------------------------------------
Nice! Wish you luck!
Do you have sponsors? Advertisers? What's the plan?
Nice! Wish you luck!
Do you have sponsors? Advertisers? What's the plan?
8
88888 Dihedral
Steven D'Apranoæ–¼ 2013å¹´5月26日星期日UTC+8上åˆ11時50分31秒寫é“:
Well, both the reliabl tcpip socket and the unstable udp socket
are supported in Python.
Aso the html and xml part is supported for the dirct web page content analysis through port 80.
I am not sure whether Steven is interested in
the web applictions.
Well, both the reliabl tcpip socket and the unstable udp socket
are supported in Python.
Aso the html and xml part is supported for the dirct web page content analysis through port 80.
I am not sure whether Steven is interested in
the web applictions.
D
DRJ Reddy
Thanks Carlos,
Right now we haven't engaged with sponsors or advertisers. Thinking whether to have a community magazine or go with the same way as previous ones some sort of commercialization.
C
Carlos Nepomuceno
Do you have other magazines? Which ones? How are you going to supply contents?
D
DRJ Reddy
We don't have other magazines. I was referring to old python magazines which terminated now. Portable documents(PDF , EPUB or MOBI) for now is being planned.
Regards,
DRJ.