I am currently accustomed to using tools like fail2ban to keep unwanted traffic away from my servers by banning IPv4 addresses: too many bad log entries per IP, ban the IP.
However when the world completes the migration to IPv6, banning single addresses probably won't work anymore, since a "normal" botnet computer or attacker posses quite many IPv6 addresses?
If I want to block IPv6 users what would be the best way to accomplish this? Use a certain IP mask or something else?
How about doing "upscaling heuristics" when you get multiple individual hits inside IPv6 then ban the whole block?
For me it is more important to mitigate the threat. If some poor genuine users to belong to the same block with blocked IPs then it is an issue between those people and their ISP to get that netblock cleared.
Answer
Banning per /128 does not scale when a subnet of /64 size is used for an attack. You will end up with 2^64 entries in the table, potentially causing a denial of service.
End-users will always receive a /56 per global address assignment policy.
Businesses will always receive a /48 per global address
See: https://tools.ietf.org/html/rfc6177
/128 should never be assigned to a server/user, minimum assignment to another entity (server/vps customer) should be a /64. Minimum assignment to a site should be a /56.
Giving out /128s is fundamentally broken and should be considered a configuration error.
I therefore recommend temporary banning per /64, given that a typical end-user will only have access to 2^8 /64s, it should not introduce too many entries in the banning table.
No comments:
Post a Comment