Hi, On 8/7/24 9:06 AM, Andreas Härpfer wrote:
For example - it's easy to run VPS somewhere for a few bucks... using an API calls, perform few queries... detroy it and so on and on. This is a technique that a real attacker will use in practice. Because of course even real attacker knows that some AUP limits exist and will be really motivated to hide his activity.
While case rapid address changes within single /64 on IPv6 are hypothetical and speculative. Because it will be quickly visible. Does anyone really think that the attacker wants to be caught quickly?
Even a cheap VPS typically gets a whole /64 per host (at least in my experience). So, the possibility to rotate through IPv6 addresses is actually cheap, easy, and far from hypothetical.
From that POV it makes perfect sense to me to block whole /64s and _not_ bother with individual /128s.
But this is still not a solution for situations where the machines used for scraping personal change rapidly. The attacker with knowledge the AUP limits (which are public) will simply change source /64 with sufficient cadence just as it will change the IPv4 source. This is also a real experience with DDoS attacks that targeted the application. Addresses change so quickly and there are so many source networks that such kind of blocking is essentially ineffective. A real attacker who aims to obtain personal data from RIPE will unsurprisingly proceed similarly. - Daniel