A crack in the case of unsolicited ICMPv6 traffic
As I track down the various unsolicited IPv6 traffic hurtled at my servers each day, every now and then I get lucky and come across a simple explanation, such as this one.I noticed periodic batches of ping requests coming my way. The ping requests came in pairs, and had ascending hop limit values (this translates to the TTL field in IPv4 terms).
Sample (I translated the packets into a CSV table to mask my network info specifics).
"_time",SRC,HOPLIMIT,PROTO,TYPE,SEQ
"2015-10-24T02:03:28.000+0000","2001:0590:0001:0301:0000:0000:42ab:e60f",4,ICMPv6,128,53535
"2015-10-24T02:03:22.000+0000","2001:0590:0001:0301:0000:0000:42ab:e60f",4,ICMPv6,128,26655
"2015-10-24T02:03:16.000+0000","2001:0590:0001:0301:0000:0000:42ab:e60f",4,ICMPv6,128,40990
"2015-10-24T02:03:10.000+0000","2001:0590:0001:0301:0000:0000:42ab:e60f",3,ICMPv6,128,38173
"2015-10-24T02:03:04.000+0000","2001:0590:0001:0301:0000:0000:42ab:e60f",3,ICMPv6,128,21020
"2015-10-24T02:02:58.000+0000","2001:0590:0001:0301:0000:0000:42ab:e60f",3,ICMPv6,128,61466
"2015-10-24T02:02:52.000+0000","2001:0590:0001:0301:0000:0000:42ab:e60f",2,ICMPv6,128,27673
"2015-10-24T02:02:39.000+0000","2001:0590:0001:0301:0000:0000:42ab:e60f",2,ICMPv6,128,27921
"2015-10-24T02:02:10.000+0000","2001:0590:0001:0301:0000:0000:42ab:e60f",2,ICMPv6,128,5883
"2015-10-24T02:01:40.000+0000","2001:0590:0001:0301:0000:0000:42ab:e60f",1,ICMPv6,128,6373
"2015-10-24T02:01:20.000+0000","2001:0590:0001:0301:0000:0000:42ab:e60f",1,ICMPv6,128,53205
"2015-10-24T02:01:00.000+0000","2001:0590:0001:0301:0000:0000:42ab:e60f",1,ICMPv6,128,39622
I checked DNS but they had no PTR records. So I checked whois, and I saw them to be owned by Akamai. Akamai serves content - lots of it, for many many sites. They do a great job at it. So I googled "Akamai ipv6 pings" and to my surprise I got some good hits.
As it turns out, an employee of Akamai responded to a query on a public mailing list (the question was asked by someone else who was seeing the same traffic patterns as myself) and shed some light on these pings. (The email: http://lists.cluenet.de/pipermail/ipv6-ops/2013-March/008562.html)
He said, the pings are part of Akamai's process of "finding paths" (finding the best paths) to hosts, so as to optimize the contend delivery process. This makes sense. The funny hop-limit fields most likely generate useful "unreachable" messages from each router along the path until the hop limit is incremented high enough to reach its destination without expiring along the way. This is effectively a traceroute. Although normally trace route uses UDP ports not ping request packets. Both get the job done, and UDP packets are more likely to be blocked by firewalls, so using ICMP makes sense.
Furthermore the employee provided a means to contact the network department to request a stop to the packets. I don't see any problem with them and I think its a useful way to optimize ontent delivery by using the shortest paths.
One less unidentified traffic pattern on my firewall to worry about :)
l benefited a lot from this article and citing it was simple.
ReplyDeletecordless landline
Very informative post.
ReplyDeleteThanks and regards
Think to Share - Video Production Company in India
Thanks for sharing this article. I would like to read more and share this article
ReplyDeleteThanks for sharing this post I would like to share this Home Renovations Adelaide
ReplyDeleteHi thanks for sharing this article, this article is mind-blowing
ReplyDeleteDo Backlinks
Do Backlinks
Do Backlinks
Hi! I just wish to give you a huge thumbs up for the great info you have here on this post. I am coming back to your blog for more soon.
ReplyDelete사설토토
카지노
This is a very impressive subject. Thank you for always. I have been reading your article interestingly. If possible, please visit my website to read my posts and leave comments. Have a nice day!
ReplyDelete온라인경마
토토사이트