Michael,

Actually, the credit for looking at Netflow goes to Colin.

Richard,

Thanks for getting that project moving forward, and as Michael said, it happens

Everyone,

Attached are the detailed reports for the 3 alerts we got in that timeframe last night if you want more details.

On Fri, Mar 18, 2022 at 9:24 AM Michael Hare <[log in to unmask]> wrote:

Dave, thanks for the cluebat about looking at netflow.  I didn’t think that one through myself.  I included the top talker we saw below.

 

Richard, thanks for responding and letting us know what happened.  Having been in similar situations myself, “it happens”. 

 

-Michael

 

===/==========

 

** nfdump -M /var/local/flows/live/core  -T  -r nfcapd.202203172000 -n 10 -s record/packets -A srcip,dstip -6

nfdump filter:

router ip 143.235.32.110 and proto icmp6

Aggregated flows 116

Top 10 flows ordered by packets:

Date first seen          Duration                              Src IP Addr                             Dst IP Addr   Packets    Bytes      bps    Bpp Flows

2022-03-17 19:59:59.104    19.456                fe80::1a2a:d300:64dd:ed24                        ff02::1:ff00:254     9.4 M  714.9 M  294.0 M     76     2

 

 

From: MICE Discuss <[log in to unmask]> On Behalf Of David Farmer
Sent: Thursday, March 17, 2022 8:34 PM
To: [log in to unmask]
Subject: Re: [MICE-DISCUSS] icmp v6 nd storm ~ 00:58:01 2022/03/18 GMT?

 

Yes we say it and it reset a bunch of our BGP session on MICE.

 

Our Arbor Sightling Netflow say the sources were

 

2001:504:27::d1af:0:241/128 

fe80::8618:88ff:fea4:d301/128 

e80::a66c:2aff:fe76:b400/128

 

Destin to;

All routers ff02::1

All MLD Routers ff02::16

 

And then a solicited-node address of

ff02::1:ff00:254

Don't know the source of that

 

 

On Thu, Mar 17, 2022 at 8:22 PM Michael Hare <[log in to unmask]> wrote:

I presume I wasn't the only one that felt the arp/nd storm that began ~ 00:58:01 2022/03/18 GMT?  Event stopped for us by 01:03:02.  I don't have info about mac addrs but our peering device reported 20kpps of icmp neighbor discovery.

-Michael
[AS3128]


 

--

===============================================
David Farmer               Email:[log in to unmask]
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

 

To unsubscribe from the MICE-DISCUSS list, click the following link:
http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1


To unsubscribe from the MICE-DISCUSS list, click the following link:
http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1



--
===============================================
David Farmer               Email:[log in to unmask]
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

To unsubscribe from the MICE-DISCUSS list, click the following link:
http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1