Scanning activity from 2620:96:a000::/48

• Previous message (by thread): Fort Bug - FreeBSD
• Next message (by thread): Scanning activity from 2620:96:a000::/48
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A couple of hours after midnight UTC, the control plane policers for
unresolved traffic on a couple of our CE routers started being clogged with
ping-scanning activity from 2620:96:a000::/48, which belongs to «Internet
Measurement Research (SIXMA)» according to ARIN.

Excerpt of this traffic (anonymised on our end):

11:21:05.016914 IP6 2620:96:a000::10 > 2001:db8:1234::f5:7a69: ICMP6, echo request, seq 0, length 16
11:21:05.016929 IP6 2620:96:a000::10 > 2001:db8:1234::12:ba74: ICMP6, echo request, seq 0, length 16
11:21:05.060045 IP6 2001:db8:1234::3 > 2620:96:a000::10: ICMP6, destination unreachable, unreachable address 2001:db8:1234::e7:f473, length 64
11:21:05.060060 IP6 2001:db8:1234::3 > 2620:96:a000::7: ICMP6, destination unreachable, unreachable address 2001:db8:1234::d4:c4a3, length 64
11:21:05.060419 IP6 2001:db8:1234::3 > 2620:96:a000::7: ICMP6, destination unreachable, unreachable address 2001:db8:1234::42:198a, length 64
11:21:05.064464 IP6 2620:96:a000::10 > 2001:db8:1234::4a:d4cd: ICMP6, echo request, seq 0, length 16
11:21:05.079645 IP6 2620:96:a000::10 > 2001:db8:1234::63:b58d: ICMP6, echo request, seq 0, length 16
11:21:05.097337 IP6 2620:96:a000::10 > 2001:db8:1234::24:1038: ICMP6, echo request, seq 0, length 16
11:21:05.111091 IP6 2620:96:a000::7 > 2001:db8:1234::8f:a126: ICMP6, echo request, seq 0, length 16
11:21:05.124112 IP6 2001:db8:1234::3 > 2620:96:a000::7: ICMP6, destination unreachable, unreachable address 2001:db8:1234::e6:70fc, length 64
11:21:05.124417 IP6 2001:db8:1234::3 > 2620:96:a000::10: ICMP6, destination unreachable, unreachable address 2001:db8:1234::bf:ca18, length 64
11:21:05.137509 IP6 2620:96:a000::10 > 2001:db8:1234::12:f0df: ICMP6, echo request, seq 0, length 16
11:21:05.142614 IP6 2620:96:a000::7 > 2001:db8:1234::8f:9ec6: ICMP6, echo request, seq 0, length 16

While the CP policer did its job and prevented any significant operational
impact, the traffic did possibly prevent/delay legitimate address resolution
attempts as well as trigger loads of pointless address resolution attempts
(ICMPv6 Neighbour Solicitations) towards the customer LAN.

We just blocked the prefix at our AS border to get rid of that noise. Those
ACLs are currently dropping packets at a rate of around 600 pps.

I was just curious to hear if anyone else is seeing the same thing, and also
whether or not people feel that this is an okay thing for this «Internet
Measurement Research (SIXMA)» to do (assuming they are white-hats)?

Tore

• Previous message (by thread): Fort Bug - FreeBSD
• Next message (by thread): Scanning activity from 2620:96:a000::/48
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]