RE: Who is 2001:230:201:1:203:31ff:fe4b:4000, it's ping-reply flooding

To:	"'Peter Bieringer'" <pb@xxxxxxxxxxxx>, <users@xxxxxxxx>
Subject:	RE: Who is 2001:230:201:1:203:31ff:fe4b:4000, it's ping-reply flooding me
From:	"Jeroen Massar" <jeroen@xxxxxxxxx>
Date:	Tue, 28 Aug 2001 15:58:45 +0200
Cc:	<linux-ipv6@xxxxxxxxxxxxx>, <netdev@xxxxxxxxxxx>, <usagi-users@xxxxxxxxxxxxxx>
Importance:	Normal
In-reply-to:	<20010828131605.4791.qmail@xxxxxxxxxxxxxxxxxx>
Organization:	Unfix
Sender:	owner-netdev@xxxxxxxxxxx

Peter Bieringer <pb@xxxxxxxxxxxx>:

> I got a ICMPv6 ping "echo reply" flood from that host to my tunnel:
> 
> Who the hell is using an IPv6 address out of my space as source
address?
> Looks like IPv6 gateways need anti spoofing filters!
Ofcourse it needs it

> 15:10:17.567312 128.176.191.66 > 195.226.187.50:
> 2001:230:201:1:203:31ff:fe4b:4000 > 3ffe:400:100:f101::40: icmp6: echo
> reply (encap)
from inet -> you

> 15:10:17.567669 195.226.187.50 > 128.176.191.66:
> 2001:230:201:1:203:31ff:fe4b:4000 > 3ffe:400:100:f101::40: icmp6: echo
> reply (encap)
from you -> inet.... which would mean that the ::40 is on the outside of
your tunnel I presume... :)

And where are the echo requests? :)

traceroute6 to 2001:230:201:1:203:31ff:fe4b:4000
(2001:230:201:1:203:31ff:fe4b:4000) from 2001:6e0::250:4ff:fe4a:7708, 30
hops max, 16 byte packets
 1  Amsterdam.core.ipv6.intouch.net (2001:6e0::2)  1.157 ms  1.237 ms
0.875 ms
 2  2001:200:0:4402::2 (2001:200:0:4402::2)  79.461 ms  78.731 ms
79.332 ms
 3  3ffe:2e00:e:fffa::1 (3ffe:2e00:e:fffa::1)  529.963 ms  931.205 ms
858.571 ms
 4  2001:230:e:a::2 (2001:230:e:a::2)  663.898 ms *  511.524 ms

hmmm

$ whois -h whois.6bone.net 3ffe:2e00:e:fffa::1
inet6num:     3FFE:2E00::/24
netname:      ETRI
descr:        pTLA delegation for the 6bone
country:      KR
admin-c:      MS3-6BONE
tech-c:       MS3-6BONE
remarks:      This object is automatically converted from the RIPE181
registry
mnt-by:       MNT-ETRI
changed:      mkshin@xxxxxxxxxxxxxx 19980723
changed:      auto-dbm@xxxxxxxxxxxxxxx 20010117
source:       6BONE

$ whois -h whois.apnic.net 2001:230:201:1:203:31ff:fe4b:4000

% Rights restricted by copyright. See
http://www.apnic.net/db/dbcopyright.html
% (whois7.apnic.net)

inet6num:    2001:230:201::/48
netname:     OPICOM-KRV6-ETRI-20000622
descr:       OPICOM IPv6 Network
country:     KR
admin-c:     MS75-AP
tech-c:      MS75-AP
status:      NLA
notify:      mkshin@xxxxxxxxxxxxxx
mnt-by:      MAINT-KR-ETRI
changed:     mkshin@xxxxxxxxxxxxxx 20000622
source:      APNIC

person:      Myung-Ki Shin
address:     161 Kajong-Dong, Yusong-Gu,
address:     Taejon, 305-350, Korea
country:     KR
phone:       +82-42-860-4847
fax-no:      +82-42-861-5404
e-mail:      mkshin@xxxxxxxxxxxxxx
nic-hdl:     MS75-AP
mnt-by:      MAINT-KR-ETRI
changed:     mkshin@xxxxxxxxxxxxxx 20000309
source:      APNIC

Also found on http://www.krv6.net/whois.htm with google...

Hope this little extra info helps...

Oh btw the other registries I always try are:
whois.[apnic.net|arin.org|ripe.net] these cover the most space... and if
it isn't in there check http://www.apnic.net/maps/tld-list.html for the
tld's :)

And don't forget to contact your upstreams if you want to stop it this
instant...

Greets,
 Jeroen

<Prev in Thread]	Current Thread	[Next in Thread>
Who is 2001:230:201:1:203:31ff:fe4b:4000, it's ping-reply flooding me, Peter Bieringer RE: Who is 2001:230:201:1:203:31ff:fe4b:4000, it's ping-reply flooding me, Jeroen Massar <= RE: Who is 2001:230:201:1:203:31ff:fe4b:4000, it's ping-reply flooding me, NDSoftware

Previous by Date:	Who is 2001:230:201:1:203:31ff:fe4b:4000, it's ping-reply flooding me, Peter Bieringer
Next by Date:	RE: Who is 2001:230:201:1:203:31ff:fe4b:4000, it's ping-reply flooding me, NDSoftware
Previous by Thread:	Who is 2001:230:201:1:203:31ff:fe4b:4000, it's ping-reply flooding me, Peter Bieringer
Next by Thread:	RE: Who is 2001:230:201:1:203:31ff:fe4b:4000, it's ping-reply flooding me, NDSoftware
Indexes:	[Date] [Thread] [Top] [All Lists]