Microsoft, Juniper urged to patch dangerous IPv6 DoS hole

By , Network World |  Security, IPv6, Juniper Networks

However, experts aren't buying it. The hole is "very easy to fix," Heuse says, and Microsoft has a long history of addressing DoS holes on the local LAN that have far less of an impact. He points to Microsoft fixing a similar issue in 2008 of its implementation of IPv4. Meanwhile, Microsoft has also committed to fixing another issue he recently reported to the company which he describes as "a very minor vulnerability of detecting if a host is sniffing. It, too, is only possible on the local LAN." His conclusion is that there is a political issue inside Microsoft where the "responsible team does not want to fix these kinds of issues anymore."

MORE URGING: Microsoft security expert warns over SharePoint data at risk

Some Windows networking consultants are so concerned about the hole and Microsoft's lack of interest in fixing it, that they have been warning users directly.  "There is a serious Windows vulnerability for RA flooding as a denial-of-service attack on wired LANs. It only takes between 5 to 20 packets to CPU-bound every Windows 7 or Server 2008 machine on that subnet," said Microsoft MVP Ed Horley, Principal Solutions Architect at Groupware Technology to attendees of the Rocky Mountain IPv6 Summit in Denver, Colo., last week.  "I have heard rumor it can also lock out Playstation 2 and Xbox consoles. With enough packets it requires a hard reboot to recover."

Although several workarounds exist, each has a significant drawback. One is to turn off IPv6, http://www.networkworld.com/topics/ipv6.html which also disables new Microsoft technologies that rely on it, such as DirectAccess, a service that allows Windows 7 machines to have an always-on remote access connection to Windows Server 2008 R2 servers. Remote Access is touted as a money-saving option as it replaces the need for a separate VPN in Windows environments.

Experts also advise using a router that has implemented a Cisco technology called RA Guard - and while Cisco routers support RA Guard, not all routers do. RA Guard was submitted as an informational document to the IETF, RFC 6105, but it is not on track to become a standard.


Originally published on Network World |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question