anyone else getting these "attacks" ? ipv6 ttl 0 invalid traffic

Hi,

where are you seeing that information from, which report?

Ian

on the control center when I click on yesterdays intrusion attacks, this is one that shows. clicking on it provides further details.

as Heisenberg predicts, none of them show up for yesterday.

2018-08-20 09:32:57IPSmessageid="07001" log_type="IDP" log_component="Signatures" log_subtype="Detect" ips_policy="" ips_policy_id="3" fw_rule_id="2" user="" sig_id="1321" message="BAD-TRAFFIC 0 ttl" classification="Misc activity" rule_priority="3" src_ip="fe80::3cd8:b7ff:7a84:27d2" src_country="" dst_ip="2001:0:9d38:90d7:ce0:1595:9718:d640" dst_country="" protocol="59" src_port="3544" dst_port="60010" OS="Windows" category="Reconnaissance" victim="Server"

it would be nice to know what interfaces were involved. I will split my default rule to better narrow down the source network

2018-08-20 09:32:57IPSmessageid="07001" log_type="IDP" log_component="Signatures" log_subtype="Detect" ips_policy="" ips_policy_id="3" fw_rule_id="2" user="" sig_id="1321" message="BAD-TRAFFIC 0 ttl" classification="Misc activity" rule_priority="3" src_ip="fe80::3cd8:b7ff:7a84:27d2" src_country="" dst_ip="2001:0:9d38:90d7:ce0:1595:9718:d640" dst_country="" protocol="59" src_port="3544" dst_port="60010" OS="Windows" category="Reconnaissance" victim="Server"

it would be nice to know what interfaces were involved. I will split my default rule to better narrow down the source network

Hi Neal,

please post an expanded view of firewall rule 2.

Ian

I will do that when I catch a new one, I've deleted that rule

2018-08-20 22:45:24IPSmessageid="07001" log_type="IDP" log_component="Signatures" log_subtype="Detect" ips_policy="" ips_policy_id="3" fw_rule_id="6" user="" sig_id="1321" message="BAD-TRAFFIC 0 ttl" classification="Misc activity" rule_priority="3" src_ip="fe80::74ee:5596:80cf:2bf0" src_country="" dst_ip="2001:0:9d38:90d7:ce0:1595:9718:d640" dst_country="" protocol="59" src_port="3544" dst_port="60010" OS="Windows" category="Reconnaissance" victim="Server"

rule 6 :

Accept LAN/Any/All the Time -> WAN/Any/Any
Scan HTTP and FTP
Intrusion Prevention is lan2wan_general
masquerade
no traffic shaping
use my custom web policy and app control

ping -6 fe80::74ee:5596:80cf:2bf0 shows unreachable
ping -6 2001:0:9d38:90d7:ce0:1595:9718:d640 shows "transmit failure" - there is no path for ipv6 to get to the internet

Hi Neal,

looking very like one of your devices is the culprit. FE80:: is an internal address or used by your ISP as the link from your router to their router.

No country for either source or destination.

Ian

sure, one can infer from the rule that it is originating locally. over the course of a week there are 3 different target IPs and 17 different source IPs. so far I have not matched any of them with the link local IPs on my network. it is as if something in my house is 'spoofing' its ip while it seeks to 'phone home'.

I"m open to suggestions...

nrf

Hi Neal,

I did a quick internet search for port 3544. I found it is used by Teredo (IPv6) tunnels and Xboxes. Windows uses Teredo by default also all W10 devices have many FE addresses in their configuration. Just some places to check.

Ian

normally that would be the port of the destination, and the traffic would be v4 udp based but carrying v6 inside it. this appears to be an actual ipv6 message.

Hi Neal ,

It does not seem it is in the routing Table, I would advice to conduct a packet capture and find the MAC address of that machine. Untill you identify the machine , you may create a Rule to block any traffic from this Mac address. 

You can find them via packet capture

tcpdump 'host <Srource IPV6 address> -e

If you get an entry on console , investigate the source.

ok, went thru the command line reference, using

tcpdump interface Port1 llh "src port 3544"

now the waiting game

Hi Neal,

You could focus on the destination port instead.