Re: Scanning activity from 2620:96:a000::/48

["Nick Suan" <nsuan () nonexiste net>]

I've noticed something similar on two networks, however it appears to be trying to scan port 80:

13:30:26.387183 IP6 2620:96:a000::5.9999 > 2620:135:5005:71::b0c.80: Flags [S], seq 2063829402, win 65535, length 0
13:30:26.393445 IP6 2620:96:a000::5.9999 > 2620:135:5006:7::703.80: Flags [S], seq 2158423190, win 65535, length 0
13:30:26.430259 IP6 2620:96:a000::5.9999 > 2620:135:500e:3d::804.80: Flags [S], seq 3284825109, win 65535, length 0
13:30:26.432115 IP6 2620:96:a000::5.9999 > 2620:135:5007:2d7::a.80: Flags [S], seq 109350720, win 65535, length 0
13:30:26.460045 IP6 2620:96:a000::5.9999 > 2620:135:5009:998::a.80: Flags [S], seq 3938745191, win 65535, length 0
13:30:26.515579 IP6 2620:96:a000::5.9999 > 2620:135:500b:c92::6.80: Flags [S], seq 430848867, win 65535, length 0
13:30:26.516136 IP6 2620:96:a000::5.9999 > 2620:135:5006:14::b0c.80: Flags [S], seq 515087951, win 65535, length 0
13:30:26.542392 IP6 2620:96:a000::5.9999 > 2620:135:500a:67::30a.80: Flags [S], seq 2626838356, win 65535, length 0
13:30:26.547341 IP6 2620:96:a000::5.9999 > 2620:135:500f:b30::f.80: Flags [S], seq 939521116, win 65535, length 0
13:30:26.549701 IP6 2620:96:a000::5.9999 > 2620:135:500c:b::95.80: Flags [S], seq 1015131109, win 65535, length 0
13:30:26.557200 IP6 2620:96:a000::5.9999 > 2620:135:5009:50::f5.80: Flags [S], seq 217447395, win 65535, length 0
 

On Tue, Jul 6, 2021, at 4:53 AM, Tore Anderson wrote:
> A couple of hours after midnight UTC, the control plane policers for
> unresolved traffic on a couple of our CE routers started being clogged with
> ping-scanning activity from 2620:96:a000::/48, which belongs to «Internet
> Measurement Research (SIXMA)» according to ARIN.
>
> Excerpt of this traffic (anonymised on our end):
>
> 11:21:05.016914 IP6 2620:96:a000::10 > 2001:db8:1234::f5:7a69: ICMP6, 
> echo request, seq 0, length 16
> 11:21:05.016929 IP6 2620:96:a000::10 > 2001:db8:1234::12:ba74: ICMP6, 
> echo request, seq 0, length 16
> 11:21:05.060045 IP6 2001:db8:1234::3 > 2620:96:a000::10: ICMP6, 
> destination unreachable, unreachable address 2001:db8:1234::e7:f473, 
> length 64
> 11:21:05.060060 IP6 2001:db8:1234::3 > 2620:96:a000::7: ICMP6, 
> destination unreachable, unreachable address 2001:db8:1234::d4:c4a3, 
> length 64
> 11:21:05.060419 IP6 2001:db8:1234::3 > 2620:96:a000::7: ICMP6, 
> destination unreachable, unreachable address 2001:db8:1234::42:198a, 
> length 64
> 11:21:05.064464 IP6 2620:96:a000::10 > 2001:db8:1234::4a:d4cd: ICMP6, 
> echo request, seq 0, length 16
> 11:21:05.079645 IP6 2620:96:a000::10 > 2001:db8:1234::63:b58d: ICMP6, 
> echo request, seq 0, length 16
> 11:21:05.097337 IP6 2620:96:a000::10 > 2001:db8:1234::24:1038: ICMP6, 
> echo request, seq 0, length 16
> 11:21:05.111091 IP6 2620:96:a000::7 > 2001:db8:1234::8f:a126: ICMP6, 
> echo request, seq 0, length 16
> 11:21:05.124112 IP6 2001:db8:1234::3 > 2620:96:a000::7: ICMP6, 
> destination unreachable, unreachable address 2001:db8:1234::e6:70fc, 
> length 64
> 11:21:05.124417 IP6 2001:db8:1234::3 > 2620:96:a000::10: ICMP6, 
> destination unreachable, unreachable address 2001:db8:1234::bf:ca18, 
> length 64
> 11:21:05.137509 IP6 2620:96:a000::10 > 2001:db8:1234::12:f0df: ICMP6, 
> echo request, seq 0, length 16
> 11:21:05.142614 IP6 2620:96:a000::7 > 2001:db8:1234::8f:9ec6: ICMP6, 
> echo request, seq 0, length 16
>
> While the CP policer did its job and prevented any significant operational
> impact, the traffic did possibly prevent/delay legitimate address resolution
> attempts as well as trigger loads of pointless address resolution attempts
> (ICMPv6 Neighbour Solicitations) towards the customer LAN.
>
> We just blocked the prefix at our AS border to get rid of that noise. Those
> ACLs are currently dropping packets at a rate of around 600 pps.
>
> I was just curious to hear if anyone else is seeing the same thing, and also
> whether or not people feel that this is an okay thing for this «Internet
> Measurement Research (SIXMA)» to do (assuming they are white-hats)?
>
> Tore