How to identify IPv6 device

[nickster_uk 1]

For the past few days, I've been getting regular incoming traffic firewall notifications/prompts. The address is IPv6 and has a FE80 local-link prefix but I can't work out what device it is coming from.

I've checked all the devices on the network and none use the address.

I'm thinking that perhaps the router may be the source but again, I can't find the address anywhere in the router, although there is similarities with some of the address and the router MAC address.

Is there any way I can find out where the traffic is originating from?

Thanks for any help

[itman 1,659]

You have to do some detective work.

5 hours ago, nickster_uk said:

I've checked all the devices on the network and none use the address.

Open up the Win Event log and look under the Audit Failure sections. I am assuming you are blocking the connections presently. You will find the source IP address there. Also if you are getting alerts from the Eset firewall, the blocked connections should be logged there and will contain the source IP address.

I recently upgraded my DSL service and had a new 1000 mbps fiber line installed. As a result I received a new Pace/2Wire router from ATT. I also switched over to an Ethernet connection for my PC. Afterwards, I was getting a lot of blocked inbound IPv6 connections in the Win event log. I extracted the source IP address and did a lookup on it at www.robtex.com. It indicated the IP address was indeed from an ATT server. Next, I observed from the event log that the IPv6 transaction being blocked was protocol 58 destination port 128. This translates to IPv6 Echo Request. OK, so far so good since my ISP is pinging me but why?

Next, I opened up Eset's Network Protection section. Then, opened Personal Firewall configuration. Then, Advanced  -> Zones -> Edit. I looked at the IP addresses there and noticed the IP address assigned for a IPv6 DNS server was indeed the prior identified ATT server IPv6 address being blocked. So at this point, I knew it was safe to allow inbound traffic from that IPv6 address. 

Finally, I returned back to Eset's Network Protection section. Observed that under the Troubleshooting area, it showed a non-zero count for "Recently block applications or devices." So I opened that section and sure enough, there was my 2Wire router shown as being blocked for the Win System process. FYI - the System process generates the ICMP requests. I selected the "Unblock" button for that entry and let Eset generate the necessary allow firewall rules for inbound IPv6 ICMP from the DNS server address to the associated local subnet FE80 .... address.

Edited April 23, 2017 by itman

[nickster_uk 1]

Thanks for the reply and advice itman.

There was nothing relevant in the audit failure section.

There is frequent logged entries in the ESET log, but it doesn't really show any more information than I already know.

Here's a typical entry:

Communication denied by rule    [fe80::52c7:bfff:fe06:9982]:56278    [fe80::a19a:b3ef:xxxx:xxxx]:546    UDP    IPv6 Test Rule    C:\Windows\System32\svchost.exe    NT AUTHORITY\LOCAL SERVICE

The address in bold is the one I'm trying to identify.  The other address is the network adapter.

The mac address of my router's LAN port is:

50:C7:BF:06:99:82

The bolded parts are present in the IPv6 address.  Is there a link there or am I clutching at straws?

There is no IPv6 address in the LAN settings of the router so that's another puzzling aspect.

[itman 1,659]

5 hours ago, nickster_uk said:

The mac address of my router's LAN port is:

50:C7:BF:06:99:82

Edit your posting to remove your MAC address. You don't want that publically displayed.

 

[itman 1,659]

23 hours ago, nickster_uk said:

Communication denied by rule    [fe80::52c7:bfff:fe06:9982]:56278    [fe80::a19a:b3ef:xxxx:xxxx]:546    UDP    IPv6 Test Rule    C:\Windows\System32\svchost.exe    NT AUTHORITY\LOCAL SERVICE

Eset has a default DHCPv6 rule that allows all inbound and outbound traffic from ports 546 and 547 to port 546 and 547 for remote IP address fe80::/64. Translating the cidr notation yields an IP range of fe80:0:0:0:0:0:0:0 - fe80:0:0:0:ffff:ffff:ffff:ffff. The fe80 IP addresses you show are within that range. You can read this for reference: https://networkengineering.stackexchange.com/questions/130/why-is-fe80-10-reserved-for-link-local-addresses-when-fe80-64-is-actually-us . DHCPv6 needs an address range fe80::/64 when "Stateless Address Autoconfiguration" is deployed. SLACC is used when your router does not have a built-in DHCPv6 server. Most home routers do not have a DHCPv6 server enabled since it is not needed for non-business environments.

Edited April 27, 2017 by itman

[itman 1,659]

Also, when an actual DHCPv6 server is in play, you will see handshake activity similar to that shown below.

In this example, the server's link-local address is fe80::0011:22ff:fe33:5566 and the client's link-local address is fe80::aabb:ccff:fedd:eeff.

• DHCPv6 client sends a Solicit from [fe80::aabb:ccff:fedd:eeff]:546 for [ff02::1:2]:547.
• DHCPv6 server replies with an Advertise from [fe80::0011:22ff:fe33:5566]:547 for [fe80::aabb:ccff:fedd:eeff]:546.
• DHCPv6 client replies with a Request from [fe80::aabb:ccff:fedd:eeff]:546 for [ff02::1:2]:547. (Client messages are sent to the multicast address, per section 13 of RFC 3315.)
• DHCPv6 server finishes with a Reply from [fe80::0011:22ff:fe33:5566]:547 for [fe80::aabb:ccff:fedd:eeff]:546.

Ref.:  https://en.wikipedia.org/wiki/DHCPv6

Also, there is another variation of the above handshake activity when a DHCPv6 relay server is involved.

Normally, you should not be receiving inbound IPv6 local scope traffic from port 546; especially to a port other than 547 such as occurring in your case i.e. port 56278. Therefore it is possible something is "borked" on your router.

Edited April 27, 2017 by itman

[itman 1,659]

On ‎4‎/‎26‎/‎2017 at 10:37 AM, nickster_uk said:

There is no IPv6 address in the LAN settings of the router so that's another puzzling aspect.

Sounds like your router is doing the same as mine. It is using 6RD to tunnel an IPv6 address over an IPv4 connection. The ISP then reformats the IPv4 packet into a IPv6 packet and forwards it to its destination. Incoming IPv6 is the reverse of the previous statement.

BTW - did you check with your ISP that it supports IPv6? If not, you want to disable IPv6 in Win network setting for your Ethernet adapter - I assume your are using a local network connection and not Wi-Fi? Finally if IPv6 keeps acting up, you can just disable it as noted previously and just use IPv4.

You can test your IPv6 connectivity here: http://test-ipv6.com/ . This will also let you know if your router is using 6RD tunneling.

All fe80:: addresses used by your system can also be determined by entering "ipconfig /all" less the quote marks from a command prompt window. Normally there are two fe80:: addresses assigned; one for your system and one for the router as shown below for my existing Ethernet adapter:

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : attlocal.net
   Description . . . . . . . . . . . . . . . . . .: Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . . . . . : xx-xx-xx-xx-xx-xx
   DHCP Enabled. . . . . . . . . . . . . . .: Yes
   Autoconfiguration Enabled . . . . . : Yes
   IPv6 Address. . . . . . . . . . . . . . . . : 2602:30a:2e2f:db90:bc6f:95da:xxxx:xxxx(Preferred)
   Temporary IPv6 Address. . . . . . .: 2602:30a:2e2f:db90:c5a4:2f24:xxxx:xxxx(Preferred)
   Link-local IPv6 Address . . . . . . . : fe80::bc6f:95da:xxxx:xxxx%6(Preferred)
   IPv4 Address. . . . . . . . . . . . . . . . : 192.168.1.xx(Preferred)
   Subnet Mask . . . . . . . . . . . . . . . .: 255.255.255.0
   Lease Obtained. . . . . . . . . . . . . . : Thursday, April 27, 2017 8:46:34 AM
   Lease Expires . . . . . . . . . . . . . . .: Friday, April 28, 2017 2:10:42 PM
   Default Gateway . . . . . . . . . . . . .: fe80::fa2c:18ff:xxxx:xxxx%6
                                                          192.168.1.254
   DHCP Server . . . . . . . . . . . . . . . : 192.168.1.254
   DHCPv6 IAID . . . . . . . . . . . . . . . : 23674xxxx
   DHCPv6 Client DUID. . . . . . . . . .: 00-01-00-01-1F-97-10-1D-xx-xx-xx-xx-xx-xx
   DNS Servers . . . . . . . . . . . . . . . .: 2602:30a:2e2f:db90::1
                                                          64.6.64.6
                                                          64.6.65.6
   NetBIOS over Tcpip. . . . . . . . . . .: Disabled

Edited April 27, 2017 by itman