Date: Thu, 22 Apr 2021 11:06:04 +0200
From: =?UTF-8?Q?J=C3=B6rn_Clausen?= <joernc%googlemail.com@localhost>
Message-ID: <CABFsXQcc0VAgQfvQDpAfYu-sNrPgCuLWjSYvF5wSNttuHAyX9Q%mail.gmail.com@localhost>
| BTW: This is all happening on the actual network interface,
| not the loopback interface.
Yes, I knew that, but the NetBSD network stack uses the loopback
interface for local packet delivery, it has to be configured correctly
or (some) things won't work.
| I can see a constant stream of these packets:
|
| 10:31:46.504046 IP6 2a04:52c0:101:7b1::.5344 > ff15::efc0:988f.6771: UDP,
| length 138
Those are multicast packets. Multicast is one of the packet types for
which the interface scopes are important.
What port 6771 is being used for I'm not sure, /etc/services says it is
"plysrv-https" (yes, including for UDP) but it might easily be something
else. Maybe someone else here can recognise it. Of you might check,
initially using netstat, and then perhaps fstat, whether your host has
anything listening on that port.
| 2a04:52c0:101:7b1 is on the same network as my machine
That would be a network prefix, the source addr is be 2a04:52c0:101:7b1::
(those extra colons are important, and indicate a host part of all zeroes,
which is unusual, but I don't think actually incorrect).
| (technically, my ISP gave me the address 2a04:52c0:101:162::/64,
That's also a network prefix (a block of 2^64 addresses). A different
one that the prefix of the sender of those packets, though it is unclear
what that prefix (the one assigned to you) is intended for - most likely
for your internal network (if you have one, which for your usage you
probably don't) rather than for the link between the ISP and you, which
might be the 2a04:52c0:101:7b1 prefix.
| but I don't use it and haven't configured the interface with it).
That won't stop multicast packets arriving, the switch shouldn't be
sending them unless something has joined the multicast group, but without
knowing a lot more about how your ISP has configured the connections to
its kvm guests, it is hard to say that anything wrong is happening.
| Every now and then I see this:
|
| 10:31:49.689606 IP6 ::1.52736 > ff15::efc0:988f.6771: UDP, length 139
| 10:31:49.690455 IP6 ::1.6771 > ff15::efc0:988f.6771: UDP, length 139
| 10:31:51.690739 IP6 ::1.52736 > ff15::efc0:988f.6771: UDP, length 139
| 10:31:51.691180 IP6 ::1.6771 > ff15::efc0:988f.6771: UDP, length 139
Those are simply wrong. That ::1 source addr should never be attempting
to send any packets off its host - and if they're arriving over the vioif0
interface, rather than being send, then some other host out there is
horribly broken (I'd tend to suspect your config first though).
| and this correlates perfectly with /var/log/messages:
|
| [Thu Apr 22 10:31:49 CEST 2021 < 27.000723>] in6_setscope: can't set scope
| for not loopback interface vioif0 and loopback address ::1
Yes, it would. Those packets are nonsense.
| So I see packets on my network interface (i.e. not the loopback interface)
| with a source of ::1. I am waiting for a reply from my ISP if I am seeing
| pink elephants or if there are actually such packets on the network.
If there are, the sender of them needs to be fixed, but I wouldn't be
surprised if something on your host is trying to send those.
| Do you know if port 6771 is some well-known port in IPv6 for housekeeping?
No, it is not a port I recognise. But that means nothing.
| The information I found seem to lean more to malware, and 2a04:52c0:101:7b1
| might not be acting in good faith...?
I don't think I'd be assuming malware, when mistakes are far more likely.
The two most likely possibilities are some kind of mis-config on your host,
or some kind of mis-config on some other host running in a different KVM guest
on the same server.
kre