[unisog] Anybody seen this before
Bill Owens
owens at nysernet.org
Wed Sep 24 01:02:10 GMT 2008
On Tue, Sep 23, 2008 at 04:37:22PM -0700, Peter Van Epp wrote:
> Anyone know if this is the latest attempt to beat the packeteer (which
> is my current guess)? DSCC tossed up what it said was an IPV6 ping scan which
> suprised us, as we aren't routing V6 however looking at the packet it appears
> to be a V4 packet with a V6 header and udp packet inside it. My first guess
> (since most of them are coming from wireless) is an attempt to evade the
> packeteer (which I think won't work because I expect it will hit default which
> is shaped although I haven't verified that yet):
>
> 16:13:21.296647 00:12:1e:1c:f4:1f > 00:11:88:05:5d:31, ethertype IPv4 (0x0800), length 596: (tos 0x0, ttl 55, id 6364, offset 0, flags [none], proto IPv6 (41), length 582) 67.87.xxx.xxx > 142.58.xxx.xx: (hlim 128, next-header: UDP (17), length: 522) 2002:4357:ca92::4357:ca92.48920 > 2002:8e3a:c70a:9:219:e3ff:fed6:2147.37814: UDP, length 514
> 0x0000: 4500 0246 18dc 0000 3729 0585 4357 ca92 E..F....7)..CW..
> 0x0010: 8e3a c70a 6000 0000 020a 1180 2002 4357 .:..`.........CW
> 0x0020: ca92 0000 0000 0000 4357 ca92 2002 8e3a ........CW.....:
> 0x0030: c70a 0009 0219 e3ff fed6 2147 bf18 93b6 ..........!G....
> 0x0040: 020a d078 0000 0405 002a 957c eb8a 7d5f ...x.....*.|..}_
> 0x0050: 53a8 S.
It's a 6to4 packet, which is a technique for auto-tunneling v6 inside v4 by generating v6 addresses based on the v4 addresses. Given the v6 address format I'd guess that it came from a Windows machine. The source and dest v4 addresses are encoded in the repeated hex bytes inside the v6 addresses (67.87.202.146 and 142.58.199.10). Microsoft has docs on how and when 6to4 is used by their stack. . .
Bill.
More information about the unisog
mailing list