On Tue, 21 Jan 2025 22:34:06 -0700 Bob Proulx <b...@proulx.com> wrote:
> > I never heard back from the committee, and to this day I don't know > > if IPv6 did implement this "filter at the source" possibility, or > > if they f*-ed up and missed the opportunity to get rid of ddos > > attacks when IPv6 was first rolled out. > > Wait... Is this something that actually exists? Or is this just a > proposal? I am unaware of any such functionality. That doesn't mean > anything as I am far from any authority on IPv6. > > If you know how to do this though I would be very interested in > learning how to perform this type of blocking. At the time I was developing the ircd of Undernet (at the time the second largest IRC network), and script kiddies used to flood channels by connecting large amounts of bots to a lot of (irc) servers which then flooded a single user or channel. The user could not stop this: the flood was to big (exactly as you describe is the case of "any single system" being ddossed). I added to the protocol a new command called "SILENCE", that can be used with a mask. This command propagates towards whoever matches and filters their messages at the source, hence no longer loading the client-server connection of the victim, but also not the server-server connections in between. Once the script kiddies couldn't flood users and channels anymore using the IRC protocol, they started to use ddos, to flood with IP packets. This is why we did hide all hostnames and IP-numbers of users. From that moment on, the script kiddies started to flood the servers; which resulted in the IRC network to hide all HUBS, so that they could only flood end-points, no longer taking down the whole network. I've always been convinced that this development (by the IRC protocol and servers) has been the trigger and start of botnets that ddos. Hence, being an authority on the social and psychological background of ddos - and how to stop it - when IPv6 was being developed, I emailed them that this was a great opportunity to builtin the same capability into ipv6 (or rather, that is was a must, as it was the only way to make ddos a thing of the past). I guess they ignored me. So now we still have the same ddos problems costing companies millions if not more. People are stupid. So no, apparently it doesn't exist.
