> However this scan was from a external host. The only traffic I saw on > the subnet was normal/valid NA lookups from the router towards an > increasing IPv6-address (starting with ::1, then ::2 etc). On the > router side I clearly saw the icmp traffic from the source doing a > scan on these destination hosts. typically this fill the NC with faked entries and exhaust the node's cache resources. "This interrupts the normal functions of the targeted IPv6 node."
In other words: The attacker sends a lot of ICMPv6 echo requests to your /64 subnet. Your router has to resolve this addresses internaly (each NA is stored in NC of the router). The node's cace resources are exhausted and no "normal" NA could be stored. I think that was your problem. Unfortunately is there no standardized way to mitigate this attacks, yet. However there are many approaches which could help or could be discussed. (like http://www.freepatentsonline.com/20070130427.pdf or other) best regards, -F
signature.asc
Description: OpenPGP digital signature
