Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 9744 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

anyone else getting these "attacks" ? ipv6 ttl 0 invalid traffic

Neal Fildes

Hi. As a Home user I have only the community for support. Recently I have been getting these so-called attacks "TTL 0 Invalid Traffic".

Curiously the target is a ipv6 IP that is not mine, and the attackers are all ipv6 link local addresses that are also not mine. I have these

whether or not I turn on ipv6 on my XG. I don't get a prefix delegation from my ISP so there is nothing really IPV6 that could go on inside my router.

anyone else seeing these?

BAD-Traffic 0 ttl, IPV6-NoNxt:60100

 

thanks!

nrf



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    where are you seeing that information from, which report?

    Ian

  • 0 in reply to rfcat_vk

    on the control center when I click on yesterdays intrusion attacks, this is one that shows. clicking on it provides further details.

    as Heisenberg predicts, none of them show up for yesterday.

  • 0 in reply to Neal Fildes

    2018-08-20 09:32:57IPSmessageid="07001" log_type="IDP" log_component="Signatures" log_subtype="Detect" ips_policy="" ips_policy_id="3" fw_rule_id="2" user="" sig_id="1321" message="BAD-TRAFFIC 0 ttl" classification="Misc activity" rule_priority="3" src_ip="fe80::3cd8:b7ff:7a84:27d2" src_country="" dst_ip="2001:0:9d38:90d7:ce0:1595:9718:d640" dst_country="" protocol="59" src_port="3544" dst_port="60010" OS="Windows" category="Reconnaissance" victim="Server"

     

    it would be nice to know what interfaces were involved. I will split my default rule to better narrow down the source network

  • 0 in reply to Neal Fildes

    Hi Neal,

    please post an expanded view of firewall rule 2.

    Ian

  • 0 in reply to rfcat_vk

    I will do that when I catch a new one, I've deleted that rule

  • 0 in reply to Neal Fildes

    2018-08-20 22:45:24IPSmessageid="07001" log_type="IDP" log_component="Signatures" log_subtype="Detect" ips_policy="" ips_policy_id="3" fw_rule_id="6" user="" sig_id="1321" message="BAD-TRAFFIC 0 ttl" classification="Misc activity" rule_priority="3" src_ip="fe80::74ee:5596:80cf:2bf0" src_country="" dst_ip="2001:0:9d38:90d7:ce0:1595:9718:d640" dst_country="" protocol="59" src_port="3544" dst_port="60010" OS="Windows" category="Reconnaissance" victim="Server"

    rule 6 :

    Accept LAN/Any/All the Time -> WAN/Any/Any
    Scan HTTP and FTP
    Intrusion Prevention is lan2wan_general
    masquerade
    no traffic shaping
    use my custom web policy and app control

    ping -6 fe80::74ee:5596:80cf:2bf0 shows unreachable
    ping -6 2001:0:9d38:90d7:ce0:1595:9718:d640 shows "transmit failure" - there is no path for ipv6 to get to the internet

  • 0 in reply to Neal Fildes

    Hi Neal,

    looking very like one of your devices is the culprit. FE80:: is an internal address or used by your ISP as the link from your router to their router.

    No country for either source or destination.

    Ian

Reply Children