Scanning activity from 2620:96:a000::/48

Mel Beckman mel at
Tue Jul 6 12:12:16 UTC 2021

Protected or not, 600 pps is abusive. If they practice this behavior routinely they could find themselves filtered off the Internet. If Tore can’t reach them, I recommend an abuse report to their upstream, assuming they’re not directly peering at an IXP (I haven’t checked).

-mel via cell

On Jul 6, 2021, at 3:53 AM, Tom Beecher <beecher at> wrote:

As mentioned, rando traffic is part and parcel of being internet connected. There isn't much 'ok' or 'not ok' to it. At this point of the internet's lifecycle, it is incumbent on all operators to protect themselves as much as possible from potential malfeasance or unintended technical oopsies.

That being said, the public records for the originator look pretty sketch. Contact address is a USPS Post Office in Maryland, ARIN entries only a few months old, website is 'Look at these studies about internet research'! Probably not missing anything to nuke them at your edge, or honeypot them if you're nerd curious.

On Tue, Jul 6, 2021 at 6:46 AM Tore Anderson <tore at<mailto:tore at>> wrote:
* Dobbins, Roland

> Scanning is part of the ‘background radiation’ of the Internet, and it’s performed by various parties with varying motivations.  Of necessity, IPv6 scanning is likely to be more targeted (were your able to discern any rhyme or reason behind the observed scanning patterns?).

The pattern appears to be sending a bunch of ICMPv6 pings to a random adresses
within the same /104. The last 24 bits of each destination address appears
randomised in each ping request, that is.

I don't know if they move on to another /104 after they were done with the
first one and so forth.

> iACLs, tACLs, CoPP, selective QoS for various ICMPv6 types/codes, et. al. should be configured in such a manner that 600pps of anything can’t cause an adverse impact to any network functions.  Because actual bad actors are unlikely to voluntarily stop, even when requested to do so.

Clearly, and in this particular case my CP protections did their job
successfully, fortunately, but that is kind of besides the point.

What I am wondering, though, is if it is really should be considered okay for
a good actor to launch what essentially amounts to an neighbour cache
exhaustion DoS attack towards unrelated network operators (without asking
first), just because bad actors might do the same.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list