Michael,
Actually, the credit for looking at Netflow goes to Colin.
Richard,
Thanks for getting that project moving forward, and as Michael said, it
happens
Everyone,
Attached are the detailed reports for the 3 alerts we got in that timeframe
last night if you want more details.
On Fri, Mar 18, 2022 at 9:24 AM Michael Hare <
[log in to unmask]> wrote:
> Dave, thanks for the cluebat about looking at netflow. I didn’t think
> that one through myself. I included the top talker we saw below.
>
>
>
> Richard, thanks for responding and letting us know what happened. Having
> been in similar situations myself, “it happens”.
>
>
>
> -Michael
>
>
>
> ===/==========
>
>
>
> ** nfdump -M /var/local/flows/live/core -T -r nfcapd.202203172000 -n 10
> -s record/packets -A srcip,dstip -6
>
> nfdump filter:
>
> router ip 143.235.32.110 and proto icmp6
>
> Aggregated flows 116
>
> Top 10 flows ordered by packets:
>
> Date first seen Duration Src IP
> Addr Dst IP Addr Packets Bytes bps
> Bpp Flows
>
> 2022-03-17 19:59:59.104 19.456 fe80::1a2a:d300:64dd:ed24
>
> ff02::1:ff00:254 9.4
> M 714.9 M 294.0 M 76 2
>
>
>
>
>
> *From:* MICE Discuss <[log in to unmask]> * On Behalf Of *David
> Farmer
> *Sent:* Thursday, March 17, 2022 8:34 PM
> *To:* [log in to unmask]
> *Subject:* Re: [MICE-DISCUSS] icmp v6 nd storm ~ 00:58:01 2022/03/18 GMT?
>
>
>
> Yes we say it and it reset a bunch of our BGP session on MICE.
>
>
>
> Our Arbor Sightling Netflow say the sources were
>
>
>
> 2001:504:27::d1af:0:241/128
>
> fe80::8618:88ff:fea4:d301/128
>
> e80::a66c:2aff:fe76:b400/128
>
>
>
> Destin to;
>
> All routers ff02::1
>
> All MLD Routers ff02::16
>
>
>
> And then a solicited-node address of
>
> ff02::1:ff00:254
>
> Don't know the source of that
>
>
>
>
>
> On Thu, Mar 17, 2022 at 8:22 PM Michael Hare <
> [log in to unmask]> wrote:
>
> I presume I wasn't the only one that felt the arp/nd storm that began ~
> 00:58:01 2022/03/18 GMT? Event stopped for us by 01:03:02. I don't have
> info about mac addrs but our peering device reported 20kpps of icmp
> neighbor discovery.
>
> -Michael
> [AS3128]
>
>
>
>
> --
>
> ===============================================
> David Farmer Email:[log in to unmask]
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE Phone: 612-626-0815
> Minneapolis, MN 55414-3029 Cell: 612-812-9952
> ===============================================
>
>
> ------------------------------
>
> To unsubscribe from the MICE-DISCUSS list, click the following link:
> http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
>
> ------------------------------
>
> To unsubscribe from the MICE-DISCUSS list, click the following link:
> http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
>
--
===============================================
David Farmer Email:[log in to unmask]
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
