Saturday, October 24, 2015

Akamai Likes To ping6


A crack in the case of unsolicited ICMPv6 traffic

As I track down the various unsolicited IPv6 traffic hurtled at my servers each day, every now and then I get lucky and come across a simple explanation, such as this one.


I noticed periodic batches of ping requests coming my way. The ping requests came in pairs, and had ascending hop limit values (this translates to the TTL field in IPv4 terms).

Sample (I translated the packets into a CSV table to mask my network info specifics).

"_time",SRC,HOPLIMIT,PROTO,TYPE,SEQ
"2015-10-24T02:03:28.000+0000","2001:0590:0001:0301:0000:0000:42ab:e60f",4,ICMPv6,128,53535
"2015-10-24T02:03:22.000+0000","2001:0590:0001:0301:0000:0000:42ab:e60f",4,ICMPv6,128,26655
"2015-10-24T02:03:16.000+0000","2001:0590:0001:0301:0000:0000:42ab:e60f",4,ICMPv6,128,40990
"2015-10-24T02:03:10.000+0000","2001:0590:0001:0301:0000:0000:42ab:e60f",3,ICMPv6,128,38173
"2015-10-24T02:03:04.000+0000","2001:0590:0001:0301:0000:0000:42ab:e60f",3,ICMPv6,128,21020
"2015-10-24T02:02:58.000+0000","2001:0590:0001:0301:0000:0000:42ab:e60f",3,ICMPv6,128,61466
"2015-10-24T02:02:52.000+0000","2001:0590:0001:0301:0000:0000:42ab:e60f",2,ICMPv6,128,27673
"2015-10-24T02:02:39.000+0000","2001:0590:0001:0301:0000:0000:42ab:e60f",2,ICMPv6,128,27921
"2015-10-24T02:02:10.000+0000","2001:0590:0001:0301:0000:0000:42ab:e60f",2,ICMPv6,128,5883
"2015-10-24T02:01:40.000+0000","2001:0590:0001:0301:0000:0000:42ab:e60f",1,ICMPv6,128,6373
"2015-10-24T02:01:20.000+0000","2001:0590:0001:0301:0000:0000:42ab:e60f",1,ICMPv6,128,53205
"2015-10-24T02:01:00.000+0000","2001:0590:0001:0301:0000:0000:42ab:e60f",1,ICMPv6,128,39622


I checked DNS but they had no PTR records. So I checked whois, and I saw them to be owned by Akamai. Akamai serves content - lots of it, for many many sites. They do a great job at it. So I googled "Akamai ipv6 pings" and to my surprise I got some good hits.

As it turns out, an employee of Akamai responded to a query on a public mailing list (the question was asked by someone else who was seeing the same traffic patterns as myself) and shed some light on these pings. (The email: http://lists.cluenet.de/pipermail/ipv6-ops/2013-March/008562.html)

He said, the pings are part of Akamai's process of "finding paths" (finding the best paths) to hosts, so as to optimize the contend delivery process. This makes sense. The funny hop-limit fields most likely generate useful "unreachable" messages from each router along the path until the hop limit is incremented high enough to reach its destination without expiring along the way. This is effectively a traceroute. Although normally trace route uses UDP ports not ping request packets. Both get the job done, and UDP packets are more likely to be blocked by firewalls, so using ICMP  makes sense.

Furthermore the employee provided a means to contact the network department to request a stop to the packets. I don't see any problem with them and I think its a useful way to optimize ontent delivery by using the shortest paths.

One less unidentified traffic pattern on my firewall to worry about :)


1 comment:

  1. l benefited a lot from this article and citing it was simple.

    cordless landline

    ReplyDelete