headers
Phil Mayers | 5 Dec 2011 20:36
Picon

Broken clients performing neigh-adv DoS

All,

We've seen this several times before, and just had a recurrence. It 
pegged the CPU of our router to 100% until I blocked it.

The machines seem to be windows boxes that, for no readily apparently 
reason, suddenly start emitting NA packets at high speed:

06.061965 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: 
ICMP6, neighbor advertisement
06.062057 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: 
ICMP6, neighbor advertisement
06.062150 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: 
ICMP6, neighbor advertisement
06.062227 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: 
ICMP6, neighbor advertisement
06.062316 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: 
ICMP6, neighbor advertisement
06.062406 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: 
ICMP6, neighbor advertisement
06.062496 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: 
ICMP6, neighbor advertisement
06.062581 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: 
ICMP6, neighbor advertisement
06.062666 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: 
ICMP6, neighbor advertisement
06.062755 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: 
ICMP6, neighbor advertisement

The rate is more than sufficient to overwhelm the puny CPU available on
(Continue reading)

Permalink | Reply | 4 comments |
headers
Jared Mauch | 5 Dec 2011 20:57
Favicon

Re: Broken clients performing neigh-adv DoS

Was this right after the machine was rebooting?  I've seen something similar to this before.  Ping me
off-list if the machine was just booting and I can share some details of what I've observed.

- Jared

On Dec 5, 2011, at 2:36 PM, Phil Mayers wrote:

> All,
> 
> We've seen this several times before, and just had a recurrence. It pegged the CPU of our router to 100%
until I blocked it.
> 
> The machines seem to be windows boxes that, for no readily apparently reason, suddenly start emitting NA
packets at high speed:
> 
> 06.061965 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: ICMP6, neighbor advertisement
> 06.062057 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: ICMP6, neighbor advertisement
> 06.062150 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: ICMP6, neighbor advertisement
> 06.062227 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: ICMP6, neighbor advertisement
> 06.062316 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: ICMP6, neighbor advertisement
> 06.062406 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: ICMP6, neighbor advertisement
> 06.062496 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: ICMP6, neighbor advertisement
> 06.062581 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: ICMP6, neighbor advertisement
> 06.062666 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: ICMP6, neighbor advertisement
> 06.062755 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00: ICMP6, neighbor advertisement
> 
> The rate is more than sufficient to overwhelm the puny CPU available on this particular platform (sup720,
with a whopping 600MHz to play with!)
> 
> The clients don't seem to be malicious - they're just ordinary windows boxes. They are wired, and don't
(Continue reading)

Permalink | Reply | 0 comments |
headers
Doug Barton | 6 Dec 2011 03:27
Picon

Re: Broken clients performing neigh-adv DoS

On 12/05/2011 11:36, Phil Mayers wrote:
> The machines seem to be windows boxes that, for no readily apparently
> reason, suddenly start emitting NA packets at high speed:

Maybe they're lonely?

--

-- 

		[^L]

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/
Permalink | Reply | 0 comments |
headers
Phil Mayers | 6 Dec 2011 13:26
Picon

Re: Broken clients performing neigh-adv DoS

On 05/12/11 19:36, Phil Mayers wrote:
> All,
>
> We've seen this several times before, and just had a recurrence. It
> pegged the CPU of our router to 100% until I blocked it.
>
> The machines seem to be windows boxes that, for no readily apparently
> reason, suddenly start emitting NA packets at high speed:
>
> 06.061965 IP6 fe80::d62:6e15:4fe3:9f24 > fe80::215:c7ff:fe06:8c00:
> ICMP6, neighbor advertisement

Thanks all for the various comments.

Just a bit of a follow-up. Further research shows that this particular 
client is actually a "repeat occurrence" - the machine has done the same 
thing before, a few months ago.

One thing I noticed when looking at the .pcap from the ERSPAN of the 
6500 CPU was that the NA packet has:

destination link-address option (2), length 8 (1): f2:80:36:xx:xx:xx

...which is a locally-assigned, unicast MAC that has never appeared 
anywhere on our network - either wireless or wired. Even toggling the 
"local" bit gives an unassigned OUI prefix. Mysterious.

I am waiting for our support staff to steal the machine so I can have a 
look at it, and will let the list know if I find anything.
(Continue reading)

Permalink | Reply | 1 comment |
headers
Phil Mayers | 6 Dec 2011 18:17
Picon

Re: Broken clients performing neigh-adv DoS

On 06/12/11 12:26, Phil Mayers wrote:

> One thing I noticed when looking at the .pcap from the ERSPAN of the
> 6500 CPU was that the NA packet has:
>
> destination link-address option (2), length 8 (1): f2:80:36:xx:xx:xx
>
> ...which is a locally-assigned, unicast MAC that has never appeared
> anywhere on our network - either wireless or wired. Even toggling the
> "local" bit gives an unassigned OUI prefix. Mysterious.
>
> I am waiting for our support staff to steal the machine so I can have a
> look at it, and will let the list know if I find anything.

One final follow-up on this.

I spent some time inspecting the machine earlier today. It was a vanilla 
Windows 7 64-bit machine (Dell, if that matters). There was no peculiar 
hardware (I had been expecting a 2nd NIC, or FireWire or something), no 
unusual software and no sign of trouble in the event logs.

The machine behaved fine when I powered it up on my desk.

In short - it was about as ordinary a machine as you could expect to 
see, and I can find no explanation for the earlier behaviour.

I am still a bit troubled by the peculiar "dest link-address" option we 
saw in the neighbour adv. packet - I am wondering if another machine was 
malfunctioning somewhere, sending unicast neighbour disc. packets to the 
machine, somehow triggering bad replies.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Frank Bulk | 7 Dec 2011 02:41
Picon
Favicon

IPv6-capable load balancers

Anyone have any experience with Kemp Networks or A10 Networks' load
balancers, specifically their IPv6-capabilities?  I've been waiting for
Coyote Point to become feature complete, but there's been more delays and so
I'm looking elsewhere.

Frank
Permalink | Reply | 8 comments |
headers
Mohacsi Janos | 7 Dec 2011 09:29
Picon
Favicon

Re: IPv6-capable load balancers


On Tue, 6 Dec 2011, Frank Bulk wrote:

> Anyone have any experience with Kemp Networks or A10 Networks' load
> balancers, specifically their IPv6-capabilities?  I've been waiting for
> Coyote Point to become feature complete, but there's been more delays and so
> I'm looking elsewhere.

Sorry I don;t have experience with the above solutions. If you are 
satisfied with open-source solutions. Try *bsd pf+relayd
https://calomel.org/relayd.html (we have been using  it on FreeBSD) or
Linux Virtual server 
http://kb.linuxvirtualserver.org/wiki/IPv6_load_balancing (We also using 
it for about a year)

Best Regards,
 		Janos Mohacsi

>
> Frank
>
>
Permalink | Reply | 0 comments |
headers
John Jason Brzozowski | 7 Dec 2011 13:47
Picon

Re: IPv6-capable load balancers

A10 has been pretty good. Vendor is responsive as well.

On Dec 6, 2011 8:42 PM, "Frank Bulk" <frnkblk <at> iname.com> wrote:
Anyone have any experience with Kemp Networks or A10 Networks' load
balancers, specifically their IPv6-capabilities?  I've been waiting for
Coyote Point to become feature complete, but there's been more delays and so
I'm looking elsewhere.

Frank

Permalink | Reply | 0 comments |
headers
Phil Mayers | 7 Dec 2011 14:58
Picon

Re: IPv6-capable load balancers

On 07/12/11 01:41, Frank Bulk wrote:
> Anyone have any experience with Kemp Networks or A10 Networks' load
> balancers, specifically their IPv6-capabilities?  I've been waiting for
> Coyote Point to become feature complete, but there's been more delays and so
> I'm looking elsewhere.

We looked at A10 - they seemed capable and responsive. AFAICT they have 
IPv6 parity with IPv4, and good v6/v4 translation options.

F5, Cisco ACE 30 are other options, and both basically have IPv6 parity.
Permalink | Reply | 2 comments |
headers
Gert Doering | 7 Dec 2011 15:02
Favicon

Re: IPv6-capable load balancers

Hi,

On Wed, Dec 07, 2011 at 01:58:56PM +0000, Phil Mayers wrote:
> On 07/12/11 01:41, Frank Bulk wrote:
> > Anyone have any experience with Kemp Networks or A10 Networks' load
> > balancers, specifically their IPv6-capabilities?  I've been waiting for
> > Coyote Point to become feature complete, but there's been more delays and so
> > I'm looking elsewhere.
> 
> We looked at A10 - they seemed capable and responsive. AFAICT they have 
> IPv6 parity with IPv4, and good v6/v4 translation options.
> 
> F5, Cisco ACE 30 are other options, and both basically have IPv6 parity.

Add Citrix Netscalers to that.  *like*.

Gert Doering
        -- NetMaster
--

-- 
have you enabled IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279
Permalink | Reply | 1 comment |

Gmane