Weird IPv6 traffic on a new server

Hello, first post so please be kind :)

Two days ago I created my first server at linode, which is a CentOS 7. At the moment its not running anything, I've only performed the usual security modifications (all services disabled except sshd, login via my private key only, installed the original centos kernel, enabled SELinux, etc etc).

So today, I checked my linode account and I see some nice graphs, one of them shows a lot of IPv6 traffic.

Can someone please explain what this could be?

~~![](<URL url=)" />

Thank you.~~

6 Replies

Look at the scale. You can ignore it.

I understand that the scale shows bits, and the packets are "little" as quantity, but I'm more interested to know what generates this kind of steady traffic, on a server that has sshd listening on a IPv4 address only.

I've run tcpdump for a while and I'm now in the process of looking at the packets, which seem to range from:

neighbor advertisement

neighbor solicitation

router advertisement

while IPv4 shows practically 0 packets.

You've just answered your own question - mostly local ICMPv6 traffic. So you'll be seeing the router announcing the available IPv6 prefix for addresses, the equivalent of ARP packets, etc.

The graph is a 5 minute average, roughly 35 bits/second. That's a whopping 262 bytes per minute.

Not really the case here, but note that Shodan has been participating in the NTP pool to harvest IPv6 addresses. So don't rely on "nobody knows my IPv6 address" as any kind of protection.
> Within seconds of one of the Shodan's NTP servers receiving a query from an IPv6 device, Shodan's main scanning engine would scan more than 100 ports belonging to the device. The Shodan scanner would then revisit the device roughly once a day.

Shodan's harvesting scheme came to an abrupt end on Thursday, when NTP Pool Project maintainers ejected the Shodan time-keeping servers from the cluster. Many people say the removal was only fair, since the harvesting wasn't disclosed and went well beyond the service advertised by NTP Time Project. Still, if Shodan-run NTP servers were harvesting IPv6 addresses, it's a reasonable bet that others were and probably still are doing the same thing.
(Emphasis added.)

Interesting, but why is this an issue for me? The IPv6 address is covered by the same rules that my firewall gets for IPv4. So what if they know some random IPv6 address?

Traffic that is dropped by your firewall is still traffic and will show up on the Linode graphs.

As I said, my comment doesn't apply to your specific case. As others noted before, your traffic is related to local ICMPv6 messages. This might not be the case for everybody. I posted my prior comment for the benefit of anyone else who might happen upon this thread wondering why their server is getting IPv6 traffic.


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct