I've been working on a graphic to make teaching #IPv6 subnetting a little easier for engineers that are transitioning from #IPv4.
One of the challenges I've run across is that textbook & training examples often use very simple patterns to illustrate IPV6 subnetting.
However, when faced with a random assignment of a /48 prefix from an ISP, it's harder for engineers to wrap their head around how letters and numbers increment and where in the prefix that happens.
Here is an example of a "real-world" IPv6 prefix (using the doc prefix) and we got from a /32 to a /48.
Hope this is helpful!
@BergNetwork Oh man that sucks. I've always cloned the entire VM in Proxmox and upgraded the clone when it comes to EVE-NG because the upgrade process terrifies me lol.
Heard good things about container lab. @ioshints also has a good solution with https://t.co/lvwGwOT0Wb
Artemis 2: "Houston, we have a problem"
Houston: "Do you have a ticket number?"
They probably spent 12 hours on the remote support session only to get transferred to entitlements. 🤓
Artemis II astronaut finds two Outlook instances running on computers, call on Houston to fix Microsoft anomaly — puzzled caller describes ‘two Outlooks, and neither one of those are working’ https://t.co/brXHO9SfLi
Over the last 24 hours, multiple ISPs using NetSense reached out to us with the same strange pattern.
A noticeable chunk of subscribers suddenly started generating outbound UDP traffic to:
- port 80
- port 443
- and even port 0
Mostly towards a small set of external ASNs / IP ranges.
A few things made this stand out:
→ Upload traffic spiking higher than download
→ Bursts of upload traffic, then pause, then again
→ Same behavior replicated across many users at the same time
→ Different regions of India
→ Very consistent destination patterns
QUIC can explain some UDP/443.
But UDP/80 and especially UDP/0? That’s definitely not normal Internet behavior.
This points strongly towards:
compromised devices at scale: routers, CPEs, IoT, etc which are acting in coordination.
What’s interesting is not just the pattern, but the simultaneity across different networks.
That usually means one of two things:
- a large botnet waking up
- or a new exploit spreading quietly across edge devices
(And yes — having flow visibility helps. Being able to quickly look at NetFlow/IPFIX data and spot patterns like this makes a big difference in response time.)
Now the real question:
Are others seeing this too?
If you operate an ISP / broadband network:
- Any unusual spikes in outbound UDP?
- Traffic hitting port 0?
- Similar destination concentration (specific ASNs / regions)?
Would be useful to compare notes.
Feels like one of those early signals you don’t want to ignore.
Added a map to see which Data Centers were most at risk. This doesn't include every DC in the target region, but the most common public cloud DCs and cities with local/provider COLO DCs.
This is a general estimate using AI (Claude) and public Iranian missile data.
With "Information Technology" on the target list, quite a few ISP POPs are within range of Iran's missiles.
Tata (AS6453), Sparkle (AS6762), Lumen (AS3356) and Arelion (AS1299) seem to be at the highest risk based on @PeeringDB locations & AS CAIDA rank.