Michael, Actually, the credit for looking at Netflow goes to Colin. Richard, Thanks for getting that project moving forward, and as Michael said, it happens Everyone, Attached are the detailed reports for the 3 alerts we got in that timeframe last night if you want more details. On Fri, Mar 18, 2022 at 9:24 AM Michael Hare < 000000097dab80c5-dmarc-request@lists.iphouse.net> wrote:
Dave, thanks for the cluebat about looking at netflow. I didn’t think that one through myself. I included the top talker we saw below.
Richard, thanks for responding and letting us know what happened. Having been in similar situations myself, “it happens”.
-Michael
===/==========
** nfdump -M /var/local/flows/live/core -T -r nfcapd.202203172000 -n 10 -s record/packets -A srcip,dstip -6
nfdump filter:
router ip 143.235.32.110 and proto icmp6
Aggregated flows 116
Top 10 flows ordered by packets:
Date first seen Duration Src IP Addr Dst IP Addr Packets Bytes bps Bpp Flows
2022-03-17 19:59:59.104 19.456 fe80::1a2a:d300:64dd:ed24 <https://flows-1.uwsys.net/nfsen/nfsen.php#null> ff02::1:ff00:254 <https://flows-1.uwsys.net/nfsen/nfsen.php#null> 9.4 M 714.9 M 294.0 M 76 2
*From:* MICE Discuss <MICE-DISCUSS@LISTS.IPHOUSE.NET> * On Behalf Of *David Farmer *Sent:* Thursday, March 17, 2022 8:34 PM *To:* MICE-DISCUSS@LISTS.IPHOUSE.NET *Subject:* Re: [MICE-DISCUSS] icmp v6 nd storm ~ 00:58:01 2022/03/18 GMT?
Yes we say it and it reset a bunch of our BGP session on MICE.
Our Arbor Sightling Netflow say the sources were
2001:504:27::d1af:0:241/128
fe80::8618:88ff:fea4:d301/128
e80::a66c:2aff:fe76:b400/128
Destin to;
All routers ff02::1
All MLD Routers ff02::16
And then a solicited-node address of
ff02::1:ff00:254
Don't know the source of that
On Thu, Mar 17, 2022 at 8:22 PM Michael Hare < 000000097dab80c5-dmarc-request@lists.iphouse.net> wrote:
I presume I wasn't the only one that felt the arp/nd storm that began ~ 00:58:01 2022/03/18 GMT? Event stopped for us by 01:03:02. I don't have info about mac addrs but our peering device reported 20kpps of icmp neighbor discovery.
-Michael [AS3128]
--
=============================================== David Farmer Email:farmer@umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 ===============================================
------------------------------
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
------------------------------
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
-- =============================================== David Farmer Email:farmer@umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 ===============================================