understanding a psad error for src 0000:0000:0000:0000:0000:0000:0000:0000

IMTheNachoMan asked:

My server is generating this psad error. I am not sure what it means? I think it is saying an IPv6 ping request was blocked but am not sure.

And if it is a ping request, is it from the server to another device? I don’t recall anything on my network being IPv6 enabled so I’m confused what it could/would be.

=-=-=-=-=-=-=-=-=-=-=-= Sat Mar  9 22:50:28 2019 =-=-=-=-=-=-=-=-=-=-=-=

         Danger level: [2] (out of 5)

               Source: 0000:0000:0000:0000:0000:0000:0000:0000
                  DNS: [No reverse dns info available]

          Destination: ff02:0000:0000:0000:0000:0000:0000:0016
                  DNS: [No reverse dns info available]

   Overall scan start: Sat Mar  9 22:50:28 2019
   Total email alerts: 1
      Syslog hostname: vm

         Global stats: 
                       chain:   interface:  protocol:  packets:  
                       OUTPUT   enp0s3      icmp6      1         

[+] ICMP6 scan signatures:

   Invalid ICMP type "143" chain=OUTPUT packets=1

[+] Whois Information (source IP):
No whois server is known for this kind of object.

=-=-=-=-=-=-=-=-=-=-=-= Sat Mar  9 22:50:28 2019 =-=-=-=-=-=-=-=-=-=-=-=

My answer:

ICMPv6 type 143 is Version 2 Multicast Listener Report as defined in RFC 3810. It is sent from your node to the local router(s) to advertise its ability (or inability) to receive multicast traffic.

It’s a bit bizarre that PSAD would call this traffic “Invalid” as MLDv2 has only been around for 15 years.

PSAD appears to be an active project; you should report this problem to its developers via whatever bug tracking system they use.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.