Re: 2002::/16 [6to4] & abuse

[TJ <trejrco () gmail com>]

2002::/16 would be advertised by anyone *still *operating a 6to4 relay.

A host w/ only IPv4 connectivity could use 6to4 to get access to an
IPv6-only resource, thanks to automatic IPv6-in-IPv4 encapsulation
(Protocol41) and with a helping hand from publicly operated relays.
Someone with (only?) native IPv6 would not, normally / unintentionally, use
a 6to4 address.  In this case, af2c:785 being on both sides means it is (if
everyone is playing nicely / by the rules) a host at that v4 address doing
this automagically.

Pure supposition:  a compromised host that happens to have, and prefer,
6to4.


/TJ


On Wed, Sep 24, 2014 at 12:42 PM, David Hubbard <
dhubbard () dino hostasaurus com> wrote:

> Curious if anyone can tell me, or point me to a link, on how 2002::/16
> is actually implemented for 6to4?  Strictly for curiosity.
>
> We had a customer ask about blocking spam from their wordpress blog that
> we host and the spammer was using 2002:af2c:785::af2c:785, which was the
> first time I'd seen wordpress spam coming from IPv6.  Per RFC3964, I'm
> guessing the 175.44.120.5 is just a relay router, not surprisingly, on
> the China Net network and the spammer was native v6?
>
> I see that net advertised from 6939 (HE) and 1103 (SURFnet Netherlands)
> from the perspective of my feeds, so that just got me more confused.
>
> Thanks,
>
> David