Broken clients performing neigh-adv DoS

[Phil Mayers]

All,

We've seen this several times before, and just had a recurrence. It 
pegged the CPU of our router to 100% until I blocked it.

The machines seem to be windows boxes that, for no readily apparently 
reason, suddenly start emitting NA packets at high speed:

06.061965 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: 
ICMP6, neighbor advertisement
06.062057 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: 
ICMP6, neighbor advertisement
06.062150 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: 
ICMP6, neighbor advertisement
06.062227 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: 
ICMP6, neighbor advertisement
06.062316 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: 
ICMP6, neighbor advertisement
06.062406 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: 
ICMP6, neighbor advertisement
06.062496 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: 
ICMP6, neighbor advertisement
06.062581 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: 
ICMP6, neighbor advertisement
06.062666 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: 
ICMP6, neighbor advertisement
06.062755 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: 
ICMP6, neighbor advertisement

The rate is more than sufficient to overwhelm the puny CPU available on 
this particular platform (sup720, with a whopping 600MHz to play with!)

The clients don't seem to be malicious - they're just ordinary windows 
boxes. They are wired, and don't seem to be suffering problems at the 
link layer - no rapid flapping of link state, for example.

Has anyone else seen this - legit clients "go crazy" and bomb the 
network with router advertisements? Are there known bugs / patches / 
hotfixes for the MS OSes?

I won't bother asking if Cisco have added NS DoS protection to currently 
shipping IOS - odds are it's either years away on all the platforms I 
care about, or "not supported in hardware" ;o)

Cheers,
Phil