There has been quite a bit of discussion recently about DDoS and IPv6. While IPv6 networks share many (or most) of the same DDoS vulnerabilities as their IPv4 counterparts, there are (at least) two areas where IPv6 faces different DDoS challenges than IPv4.
One is that some diagnostic and mitigation tool packages are not IPv6 aware, or their IPv6 versions may not have feature parity with the longer-established IPv4 versions. This is something that Project Calico can not address, but we expect that this will correct over time, as more organizations start deploying IPv6.
The other, however, is specific to IPv6 (or at least exacerbated by IPv6’s sparse address space).
The vacant address DDoS attack
A quick overview of what happens when a router receives a packet addressed to a destination that it is “authoritative” for, but doesn’t know about.
If a router is directly connected to an IP network, it is considered “authoritative” for that network, it doesn’t need to forward traffic addressed to that network to another router. If a router receives a packet addressed to a network it is directly connected to, and the router knows the L2 address for that destination, it forwards the traffic to that L2 address and the matter is finished. However, if the router does not know the L2 address of the destination, it broadcasts on the physical network asking for the L2 address that “handles” that destination IP address. In IPv4, that broadcast is an ARP, in IPv6, it’s a “neighbor discovery” or ND.
So, a DDoS technique (that works on both IPv4 and IPv6) is to send traffic addressed to random addresses in a network, and hope that many of those addresses don’t actually exist, causing a broadcast storm on the physical network, and loading down the router that is having to send all of the ARPs or NDs.
The reason this is a larger problem in IPv6 than IPv4 is the relatively sparse address space in an IPv6 network. If we take a classical “/24” IPv4 subnet that has, say 64 hosts on it, then there is a 25% (64/256) chance that a host actually exists at the address that is being used for the DDoS, so there is a limited amount of amplification that can happen. Simply put, the IPv4 world is denser, and there is less free space.
Now, if we take that network of 64 hosts and put them in an IPv6 subnet (which, by default is a 64-bit address space), there are 1.85e+19 available addresses, meaning that there is, for all intents and purposes 0% chance that traffic addressed to a random address in that subnet will actually “hit” one of those 64 hosts. This means that if an attacker “sprays” a target IPv6 network, effectively EVERY packet will lead to an ND broadcast (actually multicast, but the effect is the same).
How does Calico address the vacant address attack?
Because Calico, by default, announces every endpoint or host (in Calico terminology, an endpoint is a guest on the Calico network, so while host is the general term, we will use endpoint to match the terminology used in the rest of the Calico documentation) in the Calico network, and does so with it’s endpoint address (a route that only matches that specific endpoint), any router that is peered with a Calico network has, in it’s routing table a complete, and accurate list of endpoints on the Calico network. This gives us the tool necessary to stop the vacant address attack.
Every router has the concept of a black hole route. If I put a route into a router that is a black hole route, then any traffic that matches that route is silently discarded.
Another tool that every router has (or does) is what is called longest prefix match. Basically, a router may have multiple routes that match a given destination, but only the most specific match is used.