Broken clients performing neigh-adv DoS

Phil Mayers p.mayers at imperial.ac.uk
Tue Dec 6 18:17:11 CET 2011


On 06/12/11 12:26, Phil Mayers wrote:

> One thing I noticed when looking at the .pcap from the ERSPAN of the
> 6500 CPU was that the NA packet has:
>
> destination link-address option (2), length 8 (1): f2:80:36:xx:xx:xx
>
> ...which is a locally-assigned, unicast MAC that has never appeared
> anywhere on our network - either wireless or wired. Even toggling the
> "local" bit gives an unassigned OUI prefix. Mysterious.
>
> I am waiting for our support staff to steal the machine so I can have a
> look at it, and will let the list know if I find anything.

One final follow-up on this.

I spent some time inspecting the machine earlier today. It was a vanilla 
Windows 7 64-bit machine (Dell, if that matters). There was no peculiar 
hardware (I had been expecting a 2nd NIC, or FireWire or something), no 
unusual software and no sign of trouble in the event logs.

The machine behaved fine when I powered it up on my desk.

In short - it was about as ordinary a machine as you could expect to 
see, and I can find no explanation for the earlier behaviour.

I am still a bit troubled by the peculiar "dest link-address" option we 
saw in the neighbour adv. packet - I am wondering if another machine was 
malfunctioning somewhere, sending unicast neighbour disc. packets to the 
machine, somehow triggering bad replies.

In short: no idea what was going on. Curious.

Cheers,
Phil


More information about the ipv6-ops mailing list