01-23-2017 12:05 PM - edited 03-08-2019 09:01 AM
Hi,
We are an IPv4 only shop but do not block IPv6 traffic nor do we disable the Microsoft dynamic tunnels on PCs.
A Qradar network activity search shows a LOT of traffic between hosts using ucp ports 3544. Teredo default port is udp 3544.
Many of the destinations are outside our Internal address range as-well-as RFC 1918 addresses; although some are to Microsoft's IP address.
Is this an indication of Teredo tunnels between host that traverse the network/Internet with valid public addresses or is this a potential red herring?
Thank you
Frank
01-23-2017 02:21 PM
Hello,
the traffic almost certainly comes from your Windows clients, which use local and remote IP addresses for IPv6 transition.
Block the port using the Windows firewall as described below and check if you still see the traffic:
https://www.stigviewer.com/stig/windows_7/2013-10-01/finding/V-17449
01-24-2017 08:29 AM
Hi Georg,
Yes we are confident the tunnel traffic is originating from our internal Windows clients but the remote IP addresses (RFC 1918 and not Internet routable) are NOT part of our internal IP address range AND we do not run IPv6 on any internet/external routers.
ANY idea IF or HOW this traffic is reaching us?
Is it possible this is a red herring and no alarm should be set?
Thank you
Frank
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide