I hate being negative, but do I need a name and shame account to call out vendors and others that run services on the internet that doesn't support IPv6? #ipv6
if you want more big sites to use IPv6 you first need to solve the problems why they aren't using it. The IP reputation / user classification and DDoS protection is not the same quality as when running v4 only, that's why we aren't using it @ {giant porn site}
different market, wildly different internet culture. Never hear about "the largest attack ever" going against some company in APNIC do you?!
Both CloudFront and CloudFlare have failed to handle v6 DDoS attacks against us. In fact, we were even attacked through CloudFlare over v6 without supporting v6! Their broken ass infra allowed spoofed traffic with our domain to be accepted by their v6 edges and then just ... forwarded to our origins over v4. When we explicitly had v6 disabled.
It's not a shortage of money or talent. It's just a terrible experience that *costs* us a lot of money when we're targeted.
@feld I am bit confused as how IP/DDOS reputation is hard to handle with v6. If you have used it you know it is much easier to handle attacks than legacy IP.
All these problems points that your security team does not have v6 experience.
@miyuru they were sending nearly every packet with a unique addresses IIRC across many many /64s and CloudFlare/CloudFront were not able to identify and block them.
If you only get like one packet from an address do you put it on a list and start tracking that /64 for abuse?
feld
in reply to Jason Tubnor 🇦🇺 • • •Jason Tubnor 🇦🇺
in reply to feld • • •@feld Those are also IPv4 issues so those arguments don't hold. Seems smart countries in Asia don't seem to have a problem according to APNIC.
Facebook, Google etc don't have a problem. So again, what problems need to be solved (besides laziness?)
feld
in reply to Jason Tubnor 🇦🇺 • • •different market, wildly different internet culture. Never hear about "the largest attack ever" going against some company in APNIC do you?!
Both CloudFront and CloudFlare have failed to handle v6 DDoS attacks against us. In fact, we were even attacked through CloudFlare over v6 without supporting v6! Their broken ass infra allowed spoofed traffic with our domain to be accepted by their v6 edges and then just ... forwarded to our origins over v4. When we explicitly had v6 disabled.
It's not a shortage of money or talent. It's just a terrible experience that *costs* us a lot of money when we're targeted.
Miyuru Sankalpa
in reply to feld • • •@feld I am bit confused as how IP/DDOS reputation is hard to handle with v6. If you have used it you know it is much easier to handle attacks than legacy IP.
All these problems points that your security team does not have v6 experience.
feld
in reply to Miyuru Sankalpa • • •@miyuru they were sending nearly every packet with a unique addresses IIRC across many many /64s and CloudFlare/CloudFront were not able to identify and block them.
If you only get like one packet from an address do you put it on a list and start tracking that /64 for abuse?
Miyuru Sankalpa
in reply to feld • • •@feld /64 to start and then block /48.
Is the IPv6 address from different ASNs?
feld
in reply to Miyuru Sankalpa • • •