Broken clients performing neigh-adv DoS
p.mayers at imperial.ac.uk
Tue Dec 6 13:26:32 CET 2011
On 05/12/11 19:36, Phil Mayers wrote:
> We've seen this several times before, and just had a recurrence. It
> pegged the CPU of our router to 100% until I blocked it.
> The machines seem to be windows boxes that, for no readily apparently
> reason, suddenly start emitting NA packets at high speed:
> 06.061965 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00:
> ICMP6, neighbor advertisement
Thanks all for the various comments.
Just a bit of a follow-up. Further research shows that this particular
client is actually a "repeat occurrence" - the machine has done the same
thing before, a few months ago.
One thing I noticed when looking at the .pcap from the ERSPAN of the
6500 CPU was that the NA packet has:
destination link-address option (2), length 8 (1): f2:80:36:xx:xx:xx
...which is a locally-assigned, unicast MAC that has never appeared
anywhere on our network - either wireless or wired. Even toggling the
"local" bit gives an unassigned OUI prefix. Mysterious.
I am waiting for our support staff to steal the machine so I can have a
look at it, and will let the list know if I find anything.
More information about the ipv6-ops