来自 ipv6 only 的神秘问题，收到无法解析地址的流量

黑五的时候购买一个欧洲机器(ipv6 only)，主要进行辅助工作(欧洲区域组网)，日常流量使用比较少。

问题出现

时间来到今年一月份，登录服务器想部署一个新的项目，发现入站流量已经达到了 1.3T 之多,并且流量一直在持续入站。

问题排查以及尝试解决

经过 tcpdump 得出的日志发现，流量来自 ptr.default.28000 。

问题解决

1. 我的解决思路是 dig 出 ip ，使用 iptables 防火墙 ban 掉 ip 很不幸，使用内外网的 dns 解析都显示域名不存在，失败了。。。

2. 在问题出现的当天便已经发送了 tk 给商家 24 小时并无问题解决方法，只说在调查问题。 也没有解决。。。

tcpdump 的部分日志

11:05:32.771620 IP ptr.default.28000 > default.google.com.36150: Flags [P.], seq 45622:46668, ack 17815, win 501, options [nop,nop,TS val 1712976733 ecr 2823061016], length 1046

11:05:32.772517 IP ptr.default.28000 > default.google.com.36150: Flags [P.], seq 46668:47711, ack 18203, win 501, options [nop,nop,TS val 1712976735 ecr 2823061018], length 1043

11:05:32.773231 IP ptr.default.28000 > default.google.com.36150: Flags [P.], seq 47711:48755, ack 18590, win 501, options [nop,nop,TS val 1712976736 ecr 2823061018], length 1044

11:05:32.774101 IP ptr.default.28000 > default.google.com.36158: Flags [P.], seq 42326:43365, ack 16270, win 7547, options [nop,nop,TS val 1712976736 ecr 2823061019], length 1039

11:05:32.774950 IP ptr.default.28000 > default.google.com.36158: Flags [P.], seq 43365:44406, ack 16656, win 7547, options [nop,nop,TS val 1712976737 ecr 2823061019], length 1041

11:05:32.775811 IP ptr.default.28000 > default.google.com.36150: Flags [P.], seq 48755:49803, ack 18977, win 501, options [nop,nop,TS val 1712976738 ecr 2823061020], length 1048

11:05:32.776449 IP ptr.default.28000 > default.google.com.36150: Flags [P.], seq 49803:50846, ack 19364, win 501, options [nop,nop,TS val 1712976738 ecr 2823061021], length 1043

11:05:32.777032 IP ptr.default.28000 > default.google.com.36158: Flags [P.], seq 44406:45458, ack 17044, win 7547, options [nop,nop,TS val 1712976738 ecr 2823061021], length 1052

11:05:32.777922 IP ptr.default.28000 > default.google.com.36150: Flags [P.], seq 50846:51903, ack 19754, win 501, options [nop,nop,TS val 1712976739 ecr 2823061021], length 1057

11:05:32.778756 IP ptr.default.28000 > default.google.com.36158: Flags [P.], seq 45458:46504, ack 17432, win 7547, options [nop,nop,TS val 1712976739 ecr 2823061022], length 1046

11:05:32.779504 IP ptr.default.28000 > default.google.com.36158: Flags [P.], seq 46504:47552, ack 17819, win 7547, options [nop,nop,TS val 1712976740 ecr 2823061023], length 1048

11:05:32.780342 IP ptr.default.28000 > default.google.com.36150: Flags [P.], seq 51903:52916, ack 20142, win 501, options [nop,nop,TS val 1712976741 ecr 2823061023], length 1013

11:05:32.781149 IP ptr.default.28000 > default.google.com.36150: Flags [P.], seq 52916:53961, ack 20530, win 501, options [nop,nop,TS val 1712976742 ecr 2823061025], length 1045

11:05:32.781585 IP ptr.default.28000 > default.google.com.36158: Flags [P.], seq 48596:49643, ack 18595, win 7547, options [nop,nop,TS val 1712976743 ecr 2823061026], length 1047

11:05:32.782663 IP ptr.default.28000 > default.google.com.36150: Flags [P.], seq 53961:55000, ack 20917, win 501, options [nop,nop,TS val 1712976743 ecr 2823061026], length 1039

11:05:32.783590 IP ptr.default.28000 > default.google.com.36150: Flags [P.], seq 55000:56016, ack 21303, win 501, options [nop,nop,TS val 1712976744 ecr 2823061026], length 1016

11:05:32.784358 IP ptr.default.28000 > default.google.com.36158: Flags [P.], seq 49643:49978, ack 18982, win 7547, options [nop,nop,TS val 1712976745 ecr 2823061027], length 335

11:05:32.785206 IP ptr.default.28000 > default.google.com.36158: Flags [P.], seq 49978:51010, ack 19370, win 7547, options [nop,nop,TS val 1712976746 ecr 2823061029], length 1032

11:05:32.785853 IP ptr.default.28000 > default.google.com.36158: Flags [P.], seq 51010:52043, ack 19757, win 7547, options [nop,nop,TS val 1712976747 ecr 2823061029], length 1033

11:05:32.786593 IP ptr.default.28000 > default.google.com.36150: Flags [P.], seq 56016:57054, ack 21690, win 501, options [nop,nop,TS val 1712976748 ecr 2823061030], length 1038

11:05:32.787329 IP ptr.default.28000 > default.google.com.36150: Flags [P.], seq 57054:58093, ack 22077, win 501, options [nop,nop,TS val 1712976748 ecr 2823061031], length 1039

11:05:32.788048 IP ptr.default.28000 > default.google.com.36158: Flags [P.], seq 52043:53098, ack 20145, win 7547, options [nop,nop,TS val 1712976749 ecr 2823061031], length 1055

11:05:32.788848 IP ptr.default.28000 > default.google.com.36158: Flags [P.], seq 53098:54157, ack 20536, win 7547, options [nop,nop,TS val 1712976749 ecr 2823061032], length 1059

完整日志

https://hastebin.com/share/mivegemiga.yaml

有没有可能，你只需要 tcpdump -n 就可以看到 ptr.default 的真实 IP 了，少绕一大个弯呢🐶

@iBugOne +1 这也是我不喜欢命令行直接用 tcpdump 的原因，ssh 能直连的情况下我都会用 Wireshark 的 sshdump 。

@iBugOne 谢谢，刚刚试了一下，出现了一个更奇怪的问题，在一个 ipv6-only 的机器里，出现了两个 ipv4 地址。 12:08:16.926740 IP 5.180.253.215.28000 > 37.114.49.176.60364: Flags [P.], seq 2861263:2862303, ack 1110587, win 501, options [nop,nop,TS val 1716740894 ecr 2826825176], length 1040 12:08:16.927246 IP 5.180.253.215.28000 > 37.114.49.176.60376: Flags [P.], seq 2081745:2082793, ack 810334, win 6343, options [nop,nop,TS val 1716740896 ecr 2826825178], length 1048 12:08:16.927660 IP 5.180.253.215.28000 > 37.114.49.176.60364: Flags [P.], seq 2862303:2863341, ack 1110973, win 501, options [nop,nop,TS val 1716740894 ecr 2826825177], length 1038 12:08:16.928192 IP 5.180.253.215.28000 > 37.114.49.176.60376: Flags [P.], seq 2082793:2083128, ack 810721, win 6343, options [nop,nop,TS val 1716740897 ecr 2826825179], length 335 12:08:16.928319 IP 5.180.253.215.28000 > 37.114.49.176.60364: Flags [P.], seq 2863341:2864372, ack 1111361, win 501, options [nop,nop,TS val 1716740896 ecr 2826825178], length 1031 12:08:16.928959 IP 5.180.253.215.28000 > 37.114.49.176.60364: Flags [P.], seq 2864372:2865406, ack 1111745, win 501, options [nop,nop,TS val 1716740896 ecr 2826825179], length 1034 12:08:16.929946 IP 5.180.253.215.28000 > 37.114.49.176.60376: Flags [P.], seq 2083128:2083793, ack 811108, win 6343, options [nop,nop,TS val 1716740899 ecr 2826825181], length 665 12:08:16.930827 IP 5.180.253.215.28000 > 37.114.49.176.60376: Flags [P.], seq 2083793:2084458, ack 811495, win 6343, options [nop,nop,TS val 1716740900 ecr 2826825182], length 665

盲猜是不是主机商没做好隔离啊 隔壁的机器在乱广播数据包

你这看着是人家主机厂商给你的不是专有 vpc ，你机器和别人机器在同一个 vpc 内的，别人在扫你，你 ping 下看看 ttl 数值是不是很近