how can so called "unallocated" IP adresses appear in web logs?

aCOSwt asked:

My server is currently experiencing some web app attack to which miscellaneous IPv6 addresses are participating.

Several of these addresses are said belonging to so called unallocated networks

None of these addresses are currently being report on the major lists of dirty IPs

As an example of these : 2002:d15a:e1c3::d15a:e1c3
The remarks section of the whois notes : This object is here for Database consistency.

How can this be possible ? Is it worth blacklisting ?

My answer:


This is a deprecated 6to4 address, as is any address beginning with 2002:.

6to4 is an IPv6 transition technology that creates an IPv6 tunnel. In its public anycast form, the 6to4 IPv6 address has a 1:1 correspondence with the endpoint’s IPv4 address. In this case, the 6to4 address 2002:d15a:e1c3::d15a:e1c3 corresponds to 209.90.225.195.

That machine didn’t use native IPv6 connectivity, but instead used a 6to4 tunnel through a public 6to4 anycast relay, possibly to attempt to obscure its origin. It could possibly also be misconfiguration; some operating systems (such as Windows) enable public 6to4 by default.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.