I've noticed something similar on two networks, however it appears to be trying to scan port 80:
13:30:26.387183 IP6 2620:96:a000::5.9999 > 2620:135:5005:71::b0c.80: Flags [S], seq 2063829402, win 65535, length 0 13:30:26.393445 IP6 2620:96:a000::5.9999 > 2620:135:5006:7::703.80: Flags [S], seq 2158423190, win 65535, length 0 13:30:26.430259 IP6 2620:96:a000::5.9999 > 2620:135:500e:3d::804.80: Flags [S], seq 3284825109, win 65535, length 0 13:30:26.432115 IP6 2620:96:a000::5.9999 > 2620:135:5007:2d7::a.80: Flags [S], seq 109350720, win 65535, length 0 13:30:26.460045 IP6 2620:96:a000::5.9999 > 2620:135:5009:998::a.80: Flags [S], seq 3938745191, win 65535, length 0 13:30:26.515579 IP6 2620:96:a000::5.9999 > 2620:135:500b:c92::6.80: Flags [S], seq 430848867, win 65535, length 0 13:30:26.516136 IP6 2620:96:a000::5.9999 > 2620:135:5006:14::b0c.80: Flags [S], seq 515087951, win 65535, length 0 13:30:26.542392 IP6 2620:96:a000::5.9999 > 2620:135:500a:67::30a.80: Flags [S], seq 2626838356, win 65535, length 0 13:30:26.547341 IP6 2620:96:a000::5.9999 > 2620:135:500f:b30::f.80: Flags [S], seq 939521116, win 65535, length 0 13:30:26.549701 IP6 2620:96:a000::5.9999 > 2620:135:500c:b::95.80: Flags [S], seq 1015131109, win 65535, length 0 13:30:26.557200 IP6 2620:96:a000::5.9999 > 2620:135:5009:50::f5.80: Flags [S], seq 217447395, win 65535, length 0 On Tue, Jul 6, 2021, at 4:53 AM, Tore Anderson wrote: > A couple of hours after midnight UTC, the control plane policers for > unresolved traffic on a couple of our CE routers started being clogged with > ping-scanning activity from 2620:96:a000::/48, which belongs to «Internet > Measurement Research (SIXMA)» according to ARIN. > > Excerpt of this traffic (anonymised on our end): > > 11:21:05.016914 IP6 2620:96:a000::10 > 2001:db8:1234::f5:7a69: ICMP6, > echo request, seq 0, length 16 > 11:21:05.016929 IP6 2620:96:a000::10 > 2001:db8:1234::12:ba74: ICMP6, > echo request, seq 0, length 16 > 11:21:05.060045 IP6 2001:db8:1234::3 > 2620:96:a000::10: ICMP6, > destination unreachable, unreachable address 2001:db8:1234::e7:f473, > length 64 > 11:21:05.060060 IP6 2001:db8:1234::3 > 2620:96:a000::7: ICMP6, > destination unreachable, unreachable address 2001:db8:1234::d4:c4a3, > length 64 > 11:21:05.060419 IP6 2001:db8:1234::3 > 2620:96:a000::7: ICMP6, > destination unreachable, unreachable address 2001:db8:1234::42:198a, > length 64 > 11:21:05.064464 IP6 2620:96:a000::10 > 2001:db8:1234::4a:d4cd: ICMP6, > echo request, seq 0, length 16 > 11:21:05.079645 IP6 2620:96:a000::10 > 2001:db8:1234::63:b58d: ICMP6, > echo request, seq 0, length 16 > 11:21:05.097337 IP6 2620:96:a000::10 > 2001:db8:1234::24:1038: ICMP6, > echo request, seq 0, length 16 > 11:21:05.111091 IP6 2620:96:a000::7 > 2001:db8:1234::8f:a126: ICMP6, > echo request, seq 0, length 16 > 11:21:05.124112 IP6 2001:db8:1234::3 > 2620:96:a000::7: ICMP6, > destination unreachable, unreachable address 2001:db8:1234::e6:70fc, > length 64 > 11:21:05.124417 IP6 2001:db8:1234::3 > 2620:96:a000::10: ICMP6, > destination unreachable, unreachable address 2001:db8:1234::bf:ca18, > length 64 > 11:21:05.137509 IP6 2620:96:a000::10 > 2001:db8:1234::12:f0df: ICMP6, > echo request, seq 0, length 16 > 11:21:05.142614 IP6 2620:96:a000::7 > 2001:db8:1234::8f:9ec6: ICMP6, > echo request, seq 0, length 16 > > While the CP policer did its job and prevented any significant operational > impact, the traffic did possibly prevent/delay legitimate address resolution > attempts as well as trigger loads of pointless address resolution attempts > (ICMPv6 Neighbour Solicitations) towards the customer LAN. > > We just blocked the prefix at our AS border to get rid of that noise. Those > ACLs are currently dropping packets at a rate of around 600 pps. > > I was just curious to hear if anyone else is seeing the same thing, and also > whether or not people feel that this is an okay thing for this «Internet > Measurement Research (SIXMA)» to do (assuming they are white-hats)? > > Tore > > > >