Broken clients performing neigh-adv DoS
p.mayers at imperial.ac.uk
Tue Dec 6 18:17:11 CET 2011
On 06/12/11 12:26, Phil Mayers wrote:
> One thing I noticed when looking at the .pcap from the ERSPAN of the
> 6500 CPU was that the NA packet has:
> destination link-address option (2), length 8 (1): f2:80:36:xx:xx:xx
> ...which is a locally-assigned, unicast MAC that has never appeared
> anywhere on our network - either wireless or wired. Even toggling the
> "local" bit gives an unassigned OUI prefix. Mysterious.
> I am waiting for our support staff to steal the machine so I can have a
> look at it, and will let the list know if I find anything.
One final follow-up on this.
I spent some time inspecting the machine earlier today. It was a vanilla
Windows 7 64-bit machine (Dell, if that matters). There was no peculiar
hardware (I had been expecting a 2nd NIC, or FireWire or something), no
unusual software and no sign of trouble in the event logs.
The machine behaved fine when I powered it up on my desk.
In short - it was about as ordinary a machine as you could expect to
see, and I can find no explanation for the earlier behaviour.
I am still a bit troubled by the peculiar "dest link-address" option we
saw in the neighbour adv. packet - I am wondering if another machine was
malfunctioning somewhere, sending unicast neighbour disc. packets to the
machine, somehow triggering bad replies.
In short: no idea what was going on. Curious.
More information about the ipv6-ops