From having worked on DDoS mitigation, there's pretty much no difference between CGNAT and IPv6. Block or rate limit an IPv4 address and you might block some legitimate traffic if it's a NAT address. Block a single IPv6 address... And you might discover that the user controls an entire /64 or whatever prefix. So if you're in a situation where you can't filter out attack trafic by stateless signature (which is pretty bad already), you'll probably err on the side of blocking larger prefixes anyway, which potentially affect other users, the same as with CGNAT.

Insofar as it makes a difference for DDoS mitigation, the scarcity of IPv4 is more of a feature than a bug.

I am a bit split this topic. There is some privacy concerns with using ipv6. https://www.rfc-editor.org/rfc/rfc7721.html#page-6

Some time ago I decided for our site to not roll out ipv6 due to these concerns. (a couple of million visitors per month) We have meta ads reps constantly encourage us to enable it which also do not sit right with me.

Although I belive fingerprinting is sofisticated enough to work without using ip's so the impact of using ipv6 might not be a meaningful difference.

Is there any money an ISP would make, or save, by sinking money and effort on switching to IPv6? If there's none, why would they act? If there is some, where?

For instance, mobile phone operators, which had to turn ISPs a decade or two ago, had a natural incentive to switch to IPv6, especially as they grew. Would old ISPs make enough from selling some of their IPv4 pools?

> How about we actually finally roll out IPv6 and bury CGNAT in the graveyard where it belongs?

That depends on the service you are DDosing actually having an IPv6 presence. And lots of sites really don't.

It doesn't help if you have IPv6 if you need to fallback to IPv4 anyway. And if bot-net authors knows they can hide behind CGNAT, why would they IPv6 enable their bot-load when all sites and services are guaranteed to be reachable bia IPv4 for the next 3 decades?

(Disclaimer: This comment posted on IPv6)

Is it advantageous to be someone who supports IPv6 on a day like today?

Isn't it enough that the target of the DDOS only accepts ipv6?

Sorry, late here. You are right. I mean filter the IP in question.

If they don’t then the devices are not sold in the United States. It’s quite simple.

>What about DDoSs that come from sideloaded, unofficial, buggy, or poorly written apps? That's what IoT manufacturers will point to, and where most attacks historically come from.

any source for this claim? Outside of very specific scenarios which differ significantly for the current botnet market (like manjaro sending too many requests to the aur or an android application embedding an url to a wikipedia image) I cannot remember one occourence of such a bug being versatile enough to create a new whole cybercrime market segment.

>They'll point to whether your Mac really needs more than 100mbps.

it does, because sometimes my computer bursts up to 1gbps for a sustained amount of time, unlike the average iot device that has a predictable communication pattern.

>Signed firmware and the sideloading ID requirements on Android also helps to prevent stalkerware, which is a growing threat far scarier than some occasional sideloaded virus or DDoS attack. Never assume sideloading is consensual.

if someone can unlock your phone, go into the settings, enable installation of apps for an application (ex. a browser), download an apk and install it then they can do quite literally anything, from enabling adb to exfiltrating all your files.

> Signed firmware and the sideloading ID requirements

Ending the last corner of actually free market in software is quite a cost for something that wouldn't prevent DDoS.

> sideloaded, unofficial, buggy, or poorly written apps? That's what IoT manufacturers will point to, and where most attacks historically come from

Is that actually true? What evidence do we have, vs. vulnerabilities in the OEM software (the more common case)?

I think there's some exaggeration as few $1 SoC parts come with 10G Ethernet, and >1G to the home is not common, but pretty much any home router can saturate its own uplink - it would be useless if it couldn't!

A Allwinner H616 is Quad-Core ARM and can definitely saturate gigabit ethernet with packet generation.

It’s not; most places that give you gigabit fiber will give you a symmetric connection.

Why should they be required to have hardware in their own network to filter that out when the ISP is obviously receiving all of their traffic anyway?

Sometimes the attack, or amplification, comes from the ISP-provided router and its bargain basement firmware.

My tinfoil body-suit suggests this is how CDN's came to be. People's websites were hammered and extorted indirectly by friends of insert CDN startup here. The tin-foil body-suit also suggests the end goal was to hover up all the data and sell it to the government and/or the highest bidder.

Haha. My ISP barely gives me an Internet connection

That may brick it for its intended use, but nothing's stopping a botnet from repurposing it.

So they get to ship a dangerous device that harms innocent third parties because they cut corners, but we’re supposed to reward them by doing the work to secure the devices they couldn’t be bothered with?

what about as an demonstration of their capabilities for someone else?

Some people get very emotional about the games that they play and will pay to have them DDoSed because of something or someone they're angry about. Others just love to cause chaos and will happily buy a DDoS attack to screw other people over. They even get to watch the outcome in real-time because of streamers.

Ehhh I can see it. The right attack at the right time could directly or indirectly kill people, and that’s ignoring the fact it can cause economic havoc.

Having the entire internet function on a “pay or be nuked” threshold that could easily get much worse if companies like cloudflare become less ethical (not that they’re saints).

Perhaps, or perhaps not. Maybe if we held them accountable they would?

Any device that participates in a DDOS needs to be recalled by the manufacturer, mandated by law. Make it potentially economically crippling to sell a vulnerable device, and security will be taken very seriously. Frivolous uses of tech, won't be worth the risk.

Yes, you generally see this kind of thing start from the pain-feelers and move up the chain to the pain-causers.

So why hasn't that happened? These are clearly damaging to many, and ISPs are apparently doing next to nothing to prevent it, and it has been extremely clear for a while now that it's going to just become a bigger and bigger problem.

Are there ISPs that don't charge customers for the amount of bandwidth they consume? Even "unlimited" has been ruled by courts to not really mean "unlimited", after all.

Of course there is. If you've got all your internet egress tied up with DDoS attacks from your network it is a big problem.

Not really? At best it's "DDOS prevention sellers are having trouble" and "ISPs say they're doing fine". The vast majority of the article is talking about the various kinds of malware causing this, and how some have been "fixed" by stopping the individuals running it (which clearly doesn't work very well, new ones just fill the void).

Or this:

>“The crying need for effective and universal outbound DDoS attack suppression is something that is really being highlighted by these recent attacks,” Dobbins continued. “A lot of network operators are learning that lesson now, and there’s going to be a period ahead where there’s some scrambling and potential disruption going on.”

Uh. No. That's gross negligence if they are only starting to think about it now - the trend has been clear for over a decade, and the IoT threat has been obvious since day 1 and even blasted over public news for the past few years. Their status is pretty much only one of: incompetent, malicious, or they have had plans but haven't acted on them fast enough or strongly enough for [some reason], and that reason isn't something I've seen. Surprises happen, prevention costs money and time, and there are plenty of reasons why everyone isn't already prepared for everything, so I think "incompetent or malicious" is pretty rare.... but what are those reasons?