Router solicitation flood
-
Some information:
pfSense version 2.3.2.
2 wan interfaces with a ipv4 subnet and a ipv6 subnet.
2 pfense machines
Running on esxi 6
Carp.The problem, sometimes, no way to tell when the wan network is flooded with router solicitation requests.
Here is a small packet dump :12:49:33.694049 00:50:56:85:69:60 > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 62: (hlim 255, next-header ICMPv6 (58) payload length: 8) :: > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 8 12:49:33.694054 00:50:56:85:42:3e > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 62: (hlim 255, next-header ICMPv6 (58) payload length: 8) :: > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 8At that moment there are in worse times 1.500.000 million pps and the wan uplink stops to respond.
If i'm correct the router solicitation is send from the mac address to (33:33:00 ) which is a multi-cast address with ip 1 which is our cisco uplink to fiber.Does anyone has a explanation for this? If it happens and I disconnect the wan cable to the cisco is stops.
The sending mac addresses are the 2 pfsense machines wan intefaces. -
http://arstechnica.com/security/2016/08/ipv6-router-bug-juniper-cisco-ddos-attacks/
-
That sounds plausible but we have "router solicitation" and that article is about "neighbor discovery"
Will look deeper into that.