The Day™ has finally arrived. I’ve avoided IPv6 until now, but my blissful ignorance must end.
My ISP notified me that a device on my network performed a DNS lookup for one of the C&C servers taken offline in the recent law enforcement action against the Avalanche botnet. I need to find that device and deal with it, so I enabled logging on my DNS server. Finally after four days a matching DNS lookup request was made, but to my dismay the request came from the address
fe80::113d:d91e:e685:943b
. Crap. I’m a noob when it comes to IPv6 and I’ve got a machine on my 60+ node network that is part of a malware-spewing botnet.I ran
tracert
and determined it’s on the local link and currently online:Tracing route to fe80::113d:d91e:e685:943b over a maximum of 30 hops 1 9 ms <1 ms 1 ms fe80::113d:d91e:e685:943b
With an IPv4 device I can look at my DHCP leases to get the device name. Failing that, I’d ping it, then run
arp -a
to get its MAC address, which at least gives me the manufacturer. But this network doesn’t have a IPv6 DHCP server and arp doesn’t seem to speak IPv6.I attempted a crash course in IPv6 and learned that the
fe80
prefix means the address is link-local and I can supposedly derive the MAC address from the address. I tried that and get the MAC13:3d:d9:85:94:3b
. None of the OUI lookup tools recognize it and it doesn’t appear in my IPv4 DHCP leases.How can I determine which device on my network has this IPv6 address?
My servers and the machines where I do my troubleshooting are running Windows.
Answer
Thanks to this comment on another Super User answer, I discovered the command:
netsh int ipv6 show neighbors
To my great joy I discovered it tells me the MAC address of devices on the local link, just like arp -a
does:
Interface 10: Local Area Connection
Internet Address Physical Address Type
-------------------------------------------- ----------------- -----------
<redacted>
fe80::113d:d91e:e685:943b 4c-72-b9-d2-b5-5d Reachable
<redacted>
I was then able to compare the Physical Address to the IPv4 leases on my DHCP server and obtain the NetBIOS name of the offending device. Easy peasy.
I still don’t understand why this MAC address is resulting in this particular IPv6 Address. According to this online converter, its link local IPv6 address should be fe80::4e72:b9ff:fed2:b55d
. But that’s another question…
Attribution
Source : Link , Question Author : I say Reinstate Monica , Answer Author : I say Reinstate Monica