Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 9744 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

anyone else getting these "attacks" ? ipv6 ttl 0 invalid traffic

Neal Fildes

Hi. As a Home user I have only the community for support. Recently I have been getting these so-called attacks "TTL 0 Invalid Traffic".

Curiously the target is a ipv6 IP that is not mine, and the attackers are all ipv6 link local addresses that are also not mine. I have these

whether or not I turn on ipv6 on my XG. I don't get a prefix delegation from my ISP so there is nothing really IPV6 that could go on inside my router.

anyone else seeing these?

BAD-Traffic 0 ttl, IPV6-NoNxt:60100

 

thanks!

nrf



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to rfcat_vk

    on the control center when I click on yesterdays intrusion attacks, this is one that shows. clicking on it provides further details.

    as Heisenberg predicts, none of them show up for yesterday.

  • 0 in reply to Neal Fildes

    2018-08-20 09:32:57IPSmessageid="07001" log_type="IDP" log_component="Signatures" log_subtype="Detect" ips_policy="" ips_policy_id="3" fw_rule_id="2" user="" sig_id="1321" message="BAD-TRAFFIC 0 ttl" classification="Misc activity" rule_priority="3" src_ip="fe80::3cd8:b7ff:7a84:27d2" src_country="" dst_ip="2001:0:9d38:90d7:ce0:1595:9718:d640" dst_country="" protocol="59" src_port="3544" dst_port="60010" OS="Windows" category="Reconnaissance" victim="Server"

     

    it would be nice to know what interfaces were involved. I will split my default rule to better narrow down the source network

  • 0 in reply to Neal Fildes

    Hi Neal,

    please post an expanded view of firewall rule 2.

    Ian

  • 0 in reply to rfcat_vk

    I will do that when I catch a new one, I've deleted that rule

  • 0 in reply to Neal Fildes

    2018-08-20 22:45:24IPSmessageid="07001" log_type="IDP" log_component="Signatures" log_subtype="Detect" ips_policy="" ips_policy_id="3" fw_rule_id="6" user="" sig_id="1321" message="BAD-TRAFFIC 0 ttl" classification="Misc activity" rule_priority="3" src_ip="fe80::74ee:5596:80cf:2bf0" src_country="" dst_ip="2001:0:9d38:90d7:ce0:1595:9718:d640" dst_country="" protocol="59" src_port="3544" dst_port="60010" OS="Windows" category="Reconnaissance" victim="Server"

    rule 6 :

    Accept LAN/Any/All the Time -> WAN/Any/Any
    Scan HTTP and FTP
    Intrusion Prevention is lan2wan_general
    masquerade
    no traffic shaping
    use my custom web policy and app control

    ping -6 fe80::74ee:5596:80cf:2bf0 shows unreachable
    ping -6 2001:0:9d38:90d7:ce0:1595:9718:d640 shows "transmit failure" - there is no path for ipv6 to get to the internet

  • 0 in reply to Neal Fildes

    Hi Neal,

    looking very like one of your devices is the culprit. FE80:: is an internal address or used by your ISP as the link from your router to their router.

    No country for either source or destination.

    Ian

  • 0 in reply to rfcat_vk

    sure, one can infer from the rule that it is originating locally. over the course of a week there are 3 different target IPs and 17 different source IPs. so far I have not matched any of them with the link local IPs on my network. it is as if something in my house is 'spoofing' its ip while it seeks to 'phone home'.

    I"m open to suggestions...

    nrf

  • 0 in reply to Neal Fildes

    Hi Neal,

    I did a quick internet search for port 3544. I found it is used by Teredo (IPv6) tunnels and Xboxes. Windows uses Teredo by default also all W10 devices have many FE addresses in their configuration. Just some places to check.

    Ian

  • 0 in reply to rfcat_vk

    normally that would be the port of the destination, and the traffic would be v4 udp based but carrying v6 inside it. this appears to be an actual ipv6 message.

  • 0 in reply to Neal Fildes

    Hi Neal ,

     

    It does not seem it is in the routing Table, I would advice to conduct a packet capture and find the MAC address of that machine. Untill you identify the machine , you may create a Rule to block any traffic from this Mac address. 

    You can find them via packet capture

    tcpdump 'host <Srource IPV6 address> -e

    If you get an entry on console , investigate the source.