I am seeing thousands of IPS blocked attacks (rule 460 and 461) generated by 2001:470:b:*::1, which is the address of utm. The destinations are my computers also using ipv6. These blocked attacks constitute 98% of the blocked attacks. This was reported in the network protection group in this thread. Is this a bug in the rules or is utm generating bad ICMP packets? (The rules are both broken together, at least there are equal numbers of both attacks.)
Where to Start. I have no exceptions on the above rules (anymore). I have he as the tunnel broker with "tunnelbroker.net" tunnel ID. I do not use "Allow automatic IPv6 renumbering". I use a SBS 2011 to DHCP IPv6 the IP address range from he. So under Support Advavanced routes you should see something like this :- default via 2001:*:*:*::1 dev he.net metric 1024 IPv4 has to be translated to IPv6
Where to Start.
I have no exceptions on the above rules (anymore).
I have he as the tunnel broker with "tunnelbroker.net" tunnel ID.
I do not use "Allow automatic IPv6 renumbering".
I use a SBS 2011 to DHCP IPv6 the IP address range from he.
So under Support Advavanced routes you should see something like this :-
default via 2001:*:*:*::1 dev he.net metric 1024
IPv4 has to be translated to IPv6
Hope this helps
Mark
Thanks very much for your post. I had not noticed the support page prior to your post. There is a lot of interesting info in there. Automatic renumbering was enabled on my system. Based on the description, I didn't think it had anything to do with this, but I disabled it anyway. It made no difference. I am using utm as the dns. It's interesting that you are not getting the exceptions on the rule. Just wondering, are the ipv6 addresses of your hosts showing up in ipv6-test.com or is the address of the client side of the tunnel showing up?
Where to Start.
I have no exceptions on the above rules (anymore).
I have he as the tunnel broker with "tunnelbroker.net" tunnel ID.
I do not use "Allow automatic IPv6 renumbering".
I use a SBS 2011 to DHCP IPv6 the IP address range from he.
So under Support Advavanced routes you should see something like this :-
default via 2001:*:*:*::1 dev he.net metric 1024
IPv4 has to be translated to IPv6
Hope this helps
Mark
Thanks very much for your post. I had not noticed the support page prior to your post. There is a lot of interesting info in there. Automatic renumbering was enabled on my system. Based on the description, I didn't think it had anything to do with this, but I disabled it anyway. It made no difference. I am using utm as the dns. It's interesting that you are not getting the exceptions on the rule. Just wondering, are the ipv6 addresses of your hosts showing up in ipv6-test.com or is the address of the client side of the tunnel showing up?
I spent some time looking into these messages. I'm still getting hundreds or thousands per day. Previously, I had assigned static ipv4 addresses for all of my computers. In order to help me determine which computer the "attacks" are being reported for, I assigned static ipv6 addresses as well.
There is still one ipv6 dhcp lease that I don't know which computer it's for, but the lease is being renewed on an ongoing basis. Based on the MAC address, it doesn't seem to be from my hyper-v server, but every other physical computer on my network has static ipv4 and ipv6 addresses assigned. This address is pingable.
Attacks are also being reported for a computer for which there is no ipv6 lease (either in the lease table or on the webadmin display). From the address, I can tell it was assigned by dhcp. However, the host is not pingable, so it may be left-over from when the ipv6 addresses were being allocated dynamically.
Only one of the computers the attacks are being reported for is a computer that has a static ipv6 address.
