Latest version: 2.1.0

NDPMon in the press

Downloads

Documentation

Plugins

Training

Community

edit SideBar

CounterMeasure cm_kill_illegitimate_router

Description

If NDPMon recognizes a router advertisment from a router not in the router list it sends a faked zero lifetime RA for this router.

The detection is done by watch_ra.

See also cm_kill_illegitimate_router().

  1. ----- ND_ROUTER_ADVERT -----
  2. Reset timer for 0:12:3f:77:74:ad fe80:0:0:0:212:3fff:fe77:74ad
  3. Warning: wrong ipv6 router 0:12:3f:77:74:ad fe80:0:0:0:212:3fff:fe77:74ad
  4. [counter-measures]: Sent zero lifetime advertisement for illegitimate router.
  5. ------------------

Test

The following faked router advertisement was created by a icmp_lib example.

  1. ./example_fake_router eth0 fe80:0:0:0:212:3fff:fe77:74ad 2001::0 16

The tcpdump of the router advertisement:

  1. 10:55:19.827590 IP6 (hlim 255, next-header: ICMPv6 (58), length: 56)
  2.   fe80::212:3fff:fe77:74ad > ip6-allnodes:
  3.   [icmp6 sum ok] ICMP6, router advertisement, length 56
  4.         hop limit 64, Flags [none], pref medium, router lifetime 65535s, reachable time 0s, retrans time 0s
  5.         source link-address option (1), length 8 (1): 00:12:3f:77:74:ad
  6.         prefix info option (3), length 32 (4): 2001::/16, Flags [onlink, auto], valid time infinitys, pref. time infinitys

It resulted in the following counter advertisement (note the zero lifetime and the absence of any options):

  1. 10:55:21.187753 IP6 (hlim 255, next-header: ICMPv6 (58), length: 16)
  2.   fe80::212:3fff:fe77:74ad > ip6-allnodes:
  3.   [icmp6 sum ok] ICMP6, router advertisement, length 16
  4.         hop limit 64, Flags [none], pref medium, router lifetime 0s, reachable time 0s, retrans time 0s

Without NDPMon running, the faked router was listed on tounes as a default router:

  1. % ip -6 route
  2. [...]
  3. default via fe80::204:75ff:febe:e938 dev eth0  proto kernel  metric 1024  expires 10794sec mtu 1280 advmss 1220 hoplimit 64
  4. default via fe80::212:3fff:fe77:74ad dev eth0  proto kernel  metric 1024  expires 65287sec mtu 1280 advmss 1220 hoplimit 64

When NDPMon countered the attack, the illegitimate router was removed from the default router list.