Hi,
On 8/7/24 9:06 AM, Andreas Härpfer wrote:
For example - it's easy to run VPS somewhere for a few bucks... using an API
calls, perform few queries... detroy it and so on and on. This is a technique
that a real attacker will use in practice. Because of course even real attacker
knows that some AUP limits exist and will be really motivated to hide his
activity.
While case rapid address changes within single /64 on IPv6 are hypothetical and
speculative. Because it will be quickly visible. Does anyone really think that
the attacker wants to be caught quickly?
Even a cheap VPS typically gets a whole /64 per host (at least in my
experience). So, the possibility to rotate through IPv6 addresses is
actually cheap, easy, and far from hypothetical.
From that POV it makes perfect sense to me to block whole /64s and
_not_ bother with individual /128s.
But this is still not a solution for situations where the machines used
for scraping personal change rapidly. The attacker with knowledge the
AUP limits (which are public) will simply change source /64 with
sufficient cadence just as it will change the IPv4 source.
This is also a real experience with DDoS attacks that targeted the
application. Addresses change so quickly and there are so many source
networks that such kind of blocking is essentially ineffective. A real
attacker who aims to obtain personal data from RIPE will unsurprisingly
proceed similarly.
- Daniel
-----
To unsubscribe from this mailing list or change your subscription options,
please visit: https://mailman.ripe.net/mailman3/lists/db-wg.ripe.net/
As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings.
More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
