unknown entries in ip -6 neigh
I was checking the neighbor table on my router running OpenWRT 19.07.3, r11063-85e04e9f46 and found the following:
2001:db8::ad10:2cb dev eth1 FAILED
2001:db8::ad10:6ff8 dev eth1 FAILED
2001:db8::ad10:1463 dev eth1 FAILED
2001:db8::ad10:e39 dev eth1 FAILED
2001:db8::ad10:663b dev eth1 INCOMPLETE
2001:db8::ad10:68cd dev eth1 INCOMPLETE
2001:db8::ad10:a257 dev eth1 FAILED
2001:db8::ad10:6fb5 dev eth1 FAILED
2001:db8::ad10:a286 dev eth1 FAILED
2001:db8::ad10:fd33 dev eth1 FAILED
2001:db8::ad10:a38a dev eth1 FAILED
2001:db8::ad10:fa13 dev eth1 FAILED
2001:db8::ad10:8a3b dev eth1 INCOMPLETE
2001:db8::ad10:94e7 dev eth1 INCOMPLETE
2001:db8::ad10:f9cb dev eth1 INCOMPLETE
2001:db8::ad10:663e dev eth1 INCOMPLETE
2001:db8::ad10:e546 dev eth1 FAILED
2001:db8::ad10:5fcc dev eth1 lladdr <mac address masked> REACHABLE
2001:db8::ad10:6fe8 dev eth1 FAILED
2001:db8::ad10:8a3e dev eth1 INCOMPLETE
2001:db8::ad10:f507 dev eth1 INCOMPLETE
2001:db8::ad10:3c1 dev eth1 FAILED
2001:db8::ad10:69d dev eth1 INCOMPLETE
2001:db8::ad10:fd81 dev eth1 FAILED
2001:db8::ad10:b369 dev eth1 FAILED
2001:db8::ad10:dfd dev eth1 FAILED
2001:db8::ad10:a5f8 dev eth1 FAILED
2001:db8::ad10:aa94 dev eth1 FAILED
2001:db8::ad10:a91d dev eth1 INCOMPLETE
2001:db8::ad10:84bf dev eth1 FAILED
2001:db8::ad10:200e dev eth1 INCOMPLETE
2001:db8::ad10:81ce dev eth1 FAILED
2001:db8::ad10:71c dev eth1 FAILED
2001:db8::ad10:8699 dev eth1 FAILED
2001:db8::ad10:4ed1 dev eth1 FAILED
2001:db8::ad10:4163 dev eth1 FAILED
2001:db8::ad10:a4cd dev eth1 INCOMPLETE
2001:db8::ad10:aaf8 dev eth1 FAILED
of all the addresses in the list, only 1 is a valid host. That makes me thinking that something in my network is actively scanning 2001:db8:0:ad10::/112?
The valid host is a Proxmox server.
Any ideas anyone?
The all seeing eye sees everything...
Comments
You are most likely right with your assessment about scanning.
Clouvider Limited - VPS in 11 datacenters - Intel Xeon/AMD Epyc with NVMe and 10G uplink! | Dedicated Servers
How can I find the scanner?
The all seeing eye sees everything...
You could log packets destined to these IPs in the firewall.
You could also drop these packets at the firewall and only pass the expected ones.
To be fair, there will be plenty of scanners and if you want to block their sources, then you’re in for a long and uneven fight unfortunately :-(
Clouvider Limited - VPS in 11 datacenters - Intel Xeon/AMD Epyc with NVMe and 10G uplink! | Dedicated Servers