4
1
The Day™ has finally arrived. I've avoided IPv6 until now, but my blissful ignorance must end.
My ISP notified me that a device on my network performed a DNS lookup for one of the C&C servers taken offline in the recent law enforcement action against the Avalanche botnet. I need to find that device and deal with it, so I enabled logging on my DNS server. Finally after four days a matching DNS lookup request was made, but to my dismay the request came from the address fe80::113d:d91e:e685:943b
. Crap. I'm a noob when it comes to IPv6 and I've got a machine on my 60+ node network that is part of a malware-spewing botnet.
I ran tracert
and determined it's on the local link and currently online:
Tracing route to fe80::113d:d91e:e685:943b over a maximum of 30 hops
1 9 ms <1 ms 1 ms fe80::113d:d91e:e685:943b
With an IPv4 device I can look at my DHCP leases to get the device name. Failing that, I'd ping it, then run arp -a
to get its MAC address, which at least gives me the manufacturer. But this network doesn't have a IPv6 DHCP server and arp doesn't seem to speak IPv6.
I attempted a crash course in IPv6 and learned that the fe80
prefix means the address is link-local and I can supposedly derive the MAC address from the address. I tried that and get the MAC 13:3d:d9:85:94:3b
. None of the OUI lookup tools recognize it and it doesn't appear in my IPv4 DHCP leases.
How can I determine which device on my network has this IPv6 address?
My servers and the machines where I do my troubleshooting are running Windows.
2The reason you can't convert the link local address to a MAC address is that is uses a newer algorithm for creating addresses. The original algorithm did use the MAC address and such addresses can be identified using by the
ff:fe
bit in the middle of the second half of the address. Using MAC addresses in that way was considered bad for privacy, so newer algorithms randomize the address. – Sander Steffann – 2017-12-17T07:46:04.433