Broken clients performing neigh-adv DoS
Jared Mauch
jared at puck.nether.net
Mon Dec 5 20:57:02 CET 2011
Was this right after the machine was rebooting? I've seen something similar to this before. Ping me off-list if the machine was just booting and I can share some details of what I've observed.
- Jared
On Dec 5, 2011, at 2:36 PM, Phil Mayers wrote:
> All,
>
> We've seen this several times before, and just had a recurrence. It pegged the CPU of our router to 100% until I blocked it.
>
> The machines seem to be windows boxes that, for no readily apparently reason, suddenly start emitting NA packets at high speed:
>
> 06.061965 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: ICMP6, neighbor advertisement
> 06.062057 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: ICMP6, neighbor advertisement
> 06.062150 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: ICMP6, neighbor advertisement
> 06.062227 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: ICMP6, neighbor advertisement
> 06.062316 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: ICMP6, neighbor advertisement
> 06.062406 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: ICMP6, neighbor advertisement
> 06.062496 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: ICMP6, neighbor advertisement
> 06.062581 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: ICMP6, neighbor advertisement
> 06.062666 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: ICMP6, neighbor advertisement
> 06.062755 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: ICMP6, neighbor advertisement
>
> The rate is more than sufficient to overwhelm the puny CPU available on this particular platform (sup720, with a whopping 600MHz to play with!)
>
> The clients don't seem to be malicious - they're just ordinary windows boxes. They are wired, and don't seem to be suffering problems at the link layer - no rapid flapping of link state, for example.
>
> Has anyone else seen this - legit clients "go crazy" and bomb the network with router advertisements? Are there known bugs / patches / hotfixes for the MS OSes?
>
> I won't bother asking if Cisco have added NS DoS protection to currently shipping IOS - odds are it's either years away on all the platforms I care about, or "not supported in hardware" ;o)
>
> Cheers,
> Phil
More information about the ipv6-ops
mailing list