• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Constant IPv6 pings to my firewall

taz420nj

taz420nj

Joined
Jul 21, 2015
Messages
501 (0.14/day)
I'm not real up on IPv6, I don't use it (it's disabled on my LAN, including Teredo) but over the past day or so I've seen a near-constant flood of pings from a single IPv6 address to ff02::1.. Is this a persistent script kiddie whose scanner is stuck on me or what? My logs are usually filled with IPv4 port scans from the usual hacker havens (China, Russia, India, etc) but they usually scan a couple times and thats it. What is the significance of this ff02::1?

pOrZk2G.png
 
It is not as hacker it is a listener and is happening local not via the internet. Part of multicast.
 
Last edited:
DRDNA said:
It is not as hacker it is a listener and is happening local not via the internet. Part of multicast.
Click to expand...

It's not local, it's being blocked by the firewall at the WAN interface. And as I said, nothing on my LAN uses IPv6, it's disabled in everything...
 
taz420nj said:
It's not local, it's being blocked by the firewall at the WAN interface. And as I said, nothing on my LAN uses IPv6, it's disabled in everything...
Click to expand...
even disabled it will still have that listener.
Most firewalls will detect local as well so that doesn't matter.
 
I don't know much about this stuff, but logic tells me it may be something else, or at least have some unusual underlying cause, since he said it didn't start happening until "a day or so" ago.
 
DRDNA said:
even disabled it will still have that listener.
Most firewalls will detect local as well so that doesn't matter.
Click to expand...

Bro. It is NOT LOCAL. It is coming in from the WAN. REPEAT. NOT. LOCAL. See on the third column where it says "WAN"? That means it is an INBOUND request.

hat said:
I don't know much about this stuff, but logic tells me it may be something else, or at least have some unusual underlying cause, since he said it didn't start happening until "a day or so" ago.
Click to expand...

Thank you! I've been using pfSense for over 5 years, and I have NEVER seen a flood like this.

And it is still going....

kyGZ7o9.png
 
Check your services, run mbam, sbsad, sas.

If in question contact your isp for packet sniffers, or refresh your external ip address.
 
taz420nj said:
I'm not real up on IPv6, I don't use it (it's disabled on my LAN, including Teredo) but over the past day or so I've seen a near-constant flood of pings from a single IPv6 address to ff02::1.. Is this a persistent script kiddie whose scanner is stuck on me or what? My logs are usually filled with IPv4 port scans from the usual hacker havens (China, Russia, India, etc) but they usually scan a couple times and thats it. What is the significance of this ff02::1?

pOrZk2G.png
Click to expand...

You can google that IPv6 address, it's a common multi-cast address for streaming content. Unlikely that it has anything to do with hackers.
https://en.wikipedia.org/wiki/IP_multicast
 
taz420nj said:
It's not local, it's being blocked by the firewall at the WAN interface. And as I said, nothing on my LAN uses IPv6, it's disabled in everything...
Click to expand...

Be that as it may its local. My IPv6 is disabled and windows will still try to broadcast using that address.

I took the liberty of visually referencing the needed tables below. I'm sure you will be able to make quick work of it with your extensive networking knowledge.

5a26012f4d45aholyshit.png


taz420nj said:
Bro. It is NOT LOCAL. It is coming in from the WAN. REPEAT. NOT. LOCAL. See on the third column where it says "WAN"? That means it is an INBOUND request.
Click to expand...

While it may be out of turn when networking people respond to a networking question and the "meta" answer is that you are wrong you would do well to be a little more polite and open minded about what you consider fact.
 
Last edited:
Solaris17 said:
Be that as it may its local. My IPv6 is disabled and windows will still try to broadcast using that address.

I took the liberty of visually referencing the needed tables below. I'm sure you will be able to make quick work of it with your extensive networking knowledge.

5a26012f4d45aholyshit.png




While it may be out of turn when networking people respond to a networking question and the "meta" answer is that you are wrong you would do well to be a little more polite and open minded about what you consider fact.
Click to expand...

I wonder if a registry hack will kill it totally
 
You must log in or register to reply here.
Back
Top