The Day™ has finally arrived. I’ve avoided IPv6 until now, but my blissful ignorance must end.
My ISP notified me that a device on my network performed a DNS lookup for one of the C&C servers taken offline in the recent law enforcement action against the Avalanche botnet. I need to find that device and deal with it, so I enabled logging on my DNS server. Finally after four days a matching DNS lookup request was made, but to my dismay the request came from the address
fe80::113d:d91e:e685:943b. Crap. I’m a noob when it comes to IPv6 and I’ve got a machine on my 60+ node network that is part of a malware-spewing botnet.
tracertand determined it’s on the local link and currently online:
Tracing route to fe80::113d:d91e:e685:943b over a maximum of 30 hops 1 9 ms <1 ms 1 ms fe80::113d:d91e:e685:943b
With an IPv4 device I can look at my DHCP leases to get the device name. Failing that, I’d ping it, then run
arp -ato get its MAC address, which at least gives me the manufacturer. But this network doesn’t have a IPv6 DHCP server and arp doesn’t seem to speak IPv6.
I attempted a crash course in IPv6 and learned that the
fe80prefix means the address is link-local and I can supposedly derive the MAC address from the address. I tried that and get the MAC
13:3d:d9:85:94:3b. None of the OUI lookup tools recognize it and it doesn’t appear in my IPv4 DHCP leases.
How can I determine which device on my network has this IPv6 address?
My servers and the machines where I do my troubleshooting are running Windows.
netsh int ipv6 show neighbors
To my great joy I discovered it tells me the MAC address of devices on the local link, just like
arp -a does:
Interface 10: Local Area Connection Internet Address Physical Address Type -------------------------------------------- ----------------- ----------- <redacted> fe80::113d:d91e:e685:943b 4c-72-b9-d2-b5-5d Reachable <redacted>
I was then able to compare the Physical Address to the IPv4 leases on my DHCP server and obtain the NetBIOS name of the offending device. Easy peasy.
I still don’t understand why this MAC address is resulting in this particular IPv6 Address. According to this online converter, its link local IPv6 address should be
fe80::4e72:b9ff:fed2:b55d. But that’s another question…