|
Nmap Development
mailing list archives
Re: [NSE] whois.nse
From: doug () hcsw org
Date: Mon, 11 Aug 2008 13:47:42 -0700
On Wed, Aug 06, 2008 at 06:54:47AM +0000 or thereabouts, Brandon Enright wrote:
Regarding the IPv6 /32 cache, you should probably cache at /48 as
that is the size being assinged to organizations. /32s are going to
RiRs -- and being chopped into 65536 /48s. Seems like a more logical
cache boundary to me.
In IPv4 one way to increase the cost of performing a DDoS attack on
a webserver is of course to limit the number of connections possible
from one IP to some low number like 2 (default number a browser will
open to a vhost) or 4 (two browsers behind NAT). But with IPv6 anyone
who can fill out a web form can get more IPv6 addresses then there
are IPv4 addrs!
So what is the best practise for doing this with IPv6? Limiting
by /48s sounds good but I worry about whole organisations being
subject to limits rather than just individual nodes--the NAT
problem all over again.
Doug
Attachment:
signature.asc
Description: Digital signature
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
 By Date 
By Thread
Current thread:
| 
Intro
