Broken clients performing neigh-adv DoS

Phil Mayers p.mayers at
Tue Dec 6 13:26:32 CET 2011

On 05/12/11 19:36, Phil Mayers wrote:
> All,
> We've seen this several times before, and just had a recurrence. It
> pegged the CPU of our router to 100% until I blocked it.
> The machines seem to be windows boxes that, for no readily apparently
> reason, suddenly start emitting NA packets at high speed:
> 06.061965 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00:
> ICMP6, neighbor advertisement

Thanks all for the various comments.

Just a bit of a follow-up. Further research shows that this particular 
client is actually a "repeat occurrence" - the machine has done the same 
thing before, a few months ago.

One thing I noticed when looking at the .pcap from the ERSPAN of the 
6500 CPU was that the NA packet has:

destination link-address option (2), length 8 (1): f2:80:36:xx:xx:xx

...which is a locally-assigned, unicast MAC that has never appeared 
anywhere on our network - either wireless or wired. Even toggling the 
"local" bit gives an unassigned OUI prefix. Mysterious.

I am waiting for our support staff to steal the machine so I can have a 
look at it, and will let the list know if I find anything.

More information about the ipv6-ops mailing list