[129341] in North American Network Operators' Group
Re: just seen my first IPv6 network abuse scan,
daemon@ATHENA.MIT.EDU (Igor Ybema)
Fri Sep 3 08:18:50 2010
In-Reply-To: <4C80DF58.30000@de-cix.net>
Date: Fri, 3 Sep 2010 14:02:21 +0200
From: Igor Ybema <igor@ergens.org>
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> Sheng Jiang has discussed this issue in his draft:
> http://tools.ietf.org/html/draft-jiang-v6ops-nc-protection-01
If I understand the RFC correctly it is based on an attack within the
same subnet. Looks a lot like arp-flooding.
However this scan was from a external host. The only traffic I saw on
the subnet was normal/valid NA lookups from the router towards an
increasing IPv6-address (starting with ::1, then ::2 etc). On the
router side I clearly saw the icmp traffic from the source doing a
scan on these destination hosts. None of these IPv6 addresses are
alive so no succes in scanning for comprised machines.
regards, Igor
