I am seeing thousands of IPS blocked attacks (rule 460 and 461) generated by 2001:470:b:*::1, which is the address of utm. The destinations are my computers also using ipv6. These blocked attacks constitute 98% of the blocked attacks. This was reported in the network protection group in this thread. Is this a bug in the rules or is utm generating bad ICMP packets? (The rules are both broken together, at least there are equal numbers of both attacks.)
HI, they have been reported in the 9.1 beta forum. Until your report they were only being seen on sixxs tunnels. I don't see too many, but they occur each day. I must review the logs and see if they equate to IPv6 traffic over the tunnel. The sixxs packets are coming from the far end which in my case and the other person who reported it is the London IPv6 POP.
I moved to Hurricane Electric and I haven't seen this problem again.
Mark
I'm on hurricane. BTW, just to be clear, the blocked attacks are identified as being from the ipv6 address assigned to utm, not the external address of the client side of the tunnel. That implies to me they are being generated inside my network, not outside. However, that's only my assumption based on the address.
Also, just wondering, what does your external ipv6 address show up as? Since I installed 9.080, utm seems to be doing some sort of NAT from the client side ipv6 tunnel address, which the people over at the tunnelbroker forum consider a bug, not a feature.
Interestingly, I have not received any of these since the major power failure last week. The power was off long enough to flatten all the UPS around the place.
Where to Start. I have no exceptions on the above rules (anymore). I have he as the tunnel broker with "tunnelbroker.net" tunnel ID. I do not use "Allow automatic IPv6 renumbering". I use a SBS 2011 to DHCP IPv6 the IP address range from he. So under Support Advavanced routes you should see something like this :- default via 2001:*:*:*::1 dev he.net metric 1024 IPv4 has to be translated to IPv6
Where to Start.
I have no exceptions on the above rules (anymore).
I have he as the tunnel broker with "tunnelbroker.net" tunnel ID.
I do not use "Allow automatic IPv6 renumbering".
I use a SBS 2011 to DHCP IPv6 the IP address range from he.
So under Support Advavanced routes you should see something like this :-
default via 2001:*:*:*::1 dev he.net metric 1024
IPv4 has to be translated to IPv6
Hope this helps
Mark
Thanks very much for your post. I had not noticed the support page prior to your post. There is a lot of interesting info in there. Automatic renumbering was enabled on my system. Based on the description, I didn't think it had anything to do with this, but I disabled it anyway. It made no difference. I am using utm as the dns. It's interesting that you are not getting the exceptions on the rule. Just wondering, are the ipv6 addresses of your hosts showing up in ipv6-test.com or is the address of the client side of the tunnel showing up?
I spent some time looking into these messages. I'm still getting hundreds or thousands per day. Previously, I had assigned static ipv4 addresses for all of my computers. In order to help me determine which computer the "attacks" are being reported for, I assigned static ipv6 addresses as well.
There is still one ipv6 dhcp lease that I don't know which computer it's for, but the lease is being renewed on an ongoing basis. Based on the MAC address, it doesn't seem to be from my hyper-v server, but every other physical computer on my network has static ipv4 and ipv6 addresses assigned. This address is pingable.
Attacks are also being reported for a computer for which there is no ipv6 lease (either in the lease table or on the webadmin display). From the address, I can tell it was assigned by dhcp. However, the host is not pingable, so it may be left-over from when the ipv6 addresses were being allocated dynamically.
Only one of the computers the attacks are being reported for is a computer that has a static ipv6 address.
Hi bd Are you using HE as just a Tunnel or HE as a Tunnel and been assigned a subnet? You have to ask seperately for a Subnet and to get a seperate Tunnel ID and password.
Are you using the IPv6 address range that has been assigned by HE? 1. For the IPv6 Tunnel you will have a ::1 and a ::2 address, the ::2 is terminated at the UTM Box. 2. You normaly are given a /48 range of IPv6 address to use. 3. The ::2 is the exit point.
Make sure that the IPv6 address that you use are in this range. If you have the Mac address of the strange host you can do a mac address lookup in google and that should tell you the manufacture.
