Weird IPv6 traffic on a new server
Two days ago I created my first server at linode, which is a CentOS 7. At the moment its not running anything, I've only performed the usual security modifications (all services disabled except sshd, login via my private key only, installed the original centos kernel, enabled SELinux, etc etc).
So today, I checked my linode account and I see some nice graphs, one of them shows a lot of IPv6 traffic.
Can someone please explain what this could be?
I've run tcpdump for a while and I'm now in the process of looking at the packets, which seem to range from:
while IPv4 shows practically 0 packets.
The graph is a 5 minute average, roughly 35 bits/second. That's a whopping 262 bytes per minute.
participating in the NTP pool to harvest IPv6 addresses
> Within seconds of one of the Shodan's NTP servers receiving a query from an IPv6 device, Shodan's main scanning engine would scan more than 100 ports belonging to the device. The Shodan scanner would then revisit the device roughly once a day.
Shodan's harvesting scheme came to an abrupt end on Thursday, when NTP Pool Project maintainers ejected the Shodan time-keeping servers from the cluster. Many people say the removal was only fair, since the harvesting wasn't disclosed and went well beyond the service advertised by NTP Time Project. Still, if Shodan-run NTP servers were harvesting IPv6 addresses, it's a reasonable bet that others were and probably still are doing the same thing.
As I said, my comment doesn't apply to your specific case. As others noted before, your traffic is related to local ICMPv6 messages. This might not be the case for everybody. I posted my prior comment for the benefit of anyone else who might happen upon this thread wondering why their server is getting IPv6 traffic.