Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Rate limiting / banning IPs in IPv6

Tags:

ipv6

Rate limiting is useful for situations like protecting a login system for failed attempts or limiting client resource usage per IP as an anti-abuse measure. It is also quite effective for IPv4 addresses, because only the guy with the thousand strong botnet will be able to circumvent it long enough to cause damage.

How do you achieve this in IPv6? I understand that dedicated hosts nowadays provide you with /64 blocks, which is around 18 quintillion addresses. What about residential ISPs? Is there a minimum and/or maximum block size that is used in IPv6 deployments? Is it even possible to employ an effective rate limiting scheme in IPv6?

like image 535
tonyk Avatar asked Jun 10 '12 09:06

tonyk


People also ask

How many IPS are available in IPv6?

IPv6 uses 128-bit (2128) addresses, allowing 3.4 x 1038 unique IP addresses. This is equal to 340 trillion trillion trillion IP addresses. IPv6 is written in hexadecimal notation, separated into 8 groups of 16 bits by the colons, thus (8 x 16 = 128) bits in total.

Is rate limiting by IP?

Rate limiting runs within an application, rather than running on the web server itself. Typically, rate limiting is based on tracking the IP addresses that requests are coming from, and tracking how much time elapses between each request.

What does blocked due to rate limiting mean?

A rate limit block is a temporary block that may automatically be put on your account if we notice that you've repeatedly done the same action too many times in a short period of time. This is to prevent spam on Pinterest and to keep Pins working properly.


1 Answers

A /64 roughly maps to an individual residential network -- much the same as a single IPv4 address maps to an individual residential network. Many providers allocate /60, /56, or /48 subnets to end-users (my ISP, Internode, allocates a static /56 to every residential and business username)

So if you do your rate-limiting based on the /64 (i.e. ignore the last 64 bits), you have a pretty good chance of accurately rate-limiting a single user.

One further point, operating systems like Windows Vista and above, Mac OS X v10.7 above, and Ubuntu 12.04 and above, use randomised host identifiers for outgoing connections. This means the last 64 bits of the IPv6 address you see are always going to be random (well, randomised each time they reboot), so you may as well ignore them. If you only view the first 64 bits, they are much more likely to be static (or, at the very least, long-lived).

like image 112
Jeremy Visser Avatar answered Oct 16 '22 06:10

Jeremy Visser