8

The Day™ has finally arrived. I've avoided IPv6 until now, but my blissful ignorance must end.

My ISP notified me that a device on my network performed a DNS lookup for one of the C&C servers taken offline in the recent law enforcement action against the Avalanche botnet. I need to find that device and deal with it, so I enabled logging on my DNS server. Finally after four days a matching DNS lookup request was made, but to my dismay the request came from the address fe80::113d:d91e:e685:943b. Crap. I'm a noob when it comes to IPv6 and I've got a machine on my 60+ node network that is part of a malware-spewing botnet.

I ran tracert and determined it's on the local link and currently online:

Tracing route to fe80::113d:d91e:e685:943b over a maximum of 30 hops

  1     9 ms    <1 ms     1 ms  fe80::113d:d91e:e685:943b

With an IPv4 device I can look at my DHCP leases to get the device name. Failing that, I'd ping it, then run arp -a to get its MAC address, which at least gives me the manufacturer. But this network doesn't have a IPv6 DHCP server and arp doesn't seem to speak IPv6.

I attempted a crash course in IPv6 and learned that the fe80 prefix means the address is link-local and I can supposedly derive the MAC address from the address. I tried that and get the MAC 13:3d:d9:85:94:3b. None of the OUI lookup tools recognize it and it doesn't appear in my IPv4 DHCP leases.

How can I determine which device on my network has this IPv6 address?

My servers and the machines where I do my troubleshooting are running Windows.

Improve this question

1 Answer 1

Reset to default
8

Thanks to this comment on another Super User answer, I discovered the command:

netsh int ipv6 show neighbors

To my great joy I discovered it tells me the MAC address of devices on the local link, just like arp -a does:

Interface 10: Local Area Connection

Internet Address                              Physical Address   Type
--------------------------------------------  -----------------  -----------
<redacted>
fe80::113d:d91e:e685:943b                     4c-72-b9-d2-b5-5d  Reachable
<redacted>

I was then able to compare the Physical Address to the IPv4 leases on my DHCP server and obtain the NetBIOS name of the offending device. Easy peasy.

I still don't understand why this MAC address is resulting in this particular IPv6 Address. According to this online converter, its link local IPv6 address should be fe80::4e72:b9ff:fed2:b55d. But that's another question...

Improve this answer
2
  • 5
    The reason you can't convert the link local address to a MAC address is that is uses a newer algorithm for creating addresses. The original algorithm did use the MAC address and such addresses can be identified using by the ff:fe bit in the middle of the second half of the address. Using MAC addresses in that way was considered bad for privacy, so newer algorithms randomize the address.
    – Sander Steffann
    Commented Dec 17, 2017 at 7:46
  • 1
    I just did the same thing to identify a device and it worked, so thank you for posting the answer. What concerns me is that it still depends on IPv4 to identify a device (recognizing/looking up the IPv4 address). Is it game over if you're in an IPv6-only network?
    – DougN
    Commented Dec 9, 2023 at 14:38

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .