Latest version: 2.1.0

NDPMon in the press

Downloads

Documentation

Plugins

Training

Community

edit SideBar

CounterMeasure cm_kill_wrong_prefix

Description

If NDPMon captures a router advertisement from a router in the router list (legitimate router) but the RA contains a prefix information option with a prefix not listed for this router, we assume this to be a bogus (onlink/autoconf) prefix attack.

The counter measure is to fake a RA for the legitimate router with all RA params set according to those in the router list and a prefix information option for the bogus prefix with valid and preferred lifetime of zero.

This ensures that hosts listening on the link:

  • set all RA params overidden by the bogus RA (such as curhoplimit etc.) to their former correct values.
  • remove the bogus prefix from their routing table

Test

To advertise a bogus prefix,fake_router6 may be used. The bogus prefix is 2001:660:4501:3201::/64, the correct prefix being ...:3202::/64.

  1. ./fake_router6 eth0 fe80::204:75ff:febe:e938 2001:660:4501:3201::/64 1280 0:4:75:be:e9:38

NDPMon alerts the administrator about wrong router advertisement parameters and reacts (see Counter Measure cm_propagate_router_params) but it also reacts to the wrong prefix and sends the RA with zero valid and preferred time for this prefix.

  1. ----- ND_ROUTER_ADVERT -----
  2. Reset timer for 0:4:75:be:e9:38 fe80:0:0:0:204:75ff:febe:e938
  3. Warning: wrong RA param: curhoplimit 255
  4. Warning: wrong RA param: router_lifetime 65535
  5. Warning: wrong RA param: reachable_timer 16384000
  6. Warning: wrong RA param: retrans_timer 1966080
  7. [counter-measures]: Sent propagate params router advertisement for wrong params.
  8. Warning: wrong prefix 2001:660:4501:3201 0:4:75:be:e9:38 fe80:0:0:0:204:75ff:febe:e938
  9. [counter-measures]: Sent prefix zero lifetime advertisement for wrong prefix.
  10. ------------------
  11.  
  12. ---- ICMP packet ----
  13. [counter-measures]: Packet dropped as it is a NDPMon counter measure.
  14. ------------------
  15.  
  16. ---- ICMP packet ----
  17. [counter-measures]: Packet dropped as it is a NDPMon counter measure.
  18. ------------------

These are the bogus and the two counter measure advertisements captured using tcpdump:

  1. 09:02:21.082531 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 64) fe80::204:75ff:febe:e938 > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 64
  2.         hop limit 255, Flags [none], pref high, router lifetime 65535s, reachable time 16384000s, retrans time 1966080s
  3.           mtu option (5), length 8 (1):  1280
  4.           prefix info option (3), length 32 (4): 2001:660:4501:3201::/64, Flags [onlink, auto], valid time infinitys, pref. time infinitys
  5.           source link-address option (1), length 8 (1): 00:04:75:be:e9:38
  6. 09:02:21.085545 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 16) fe80::204:75ff:febe:e938 > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 16
  7.         hop limit 64, Flags [none], pref medium, router lifetime 10800s, reachable time 0s, retrans time 0s
  8. 09:02:21.086265 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 48) fe80::204:75ff:febe:e938 > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 48
  9.         hop limit 64, Flags [none], pref medium, router lifetime 10800s, reachable time 0s, retrans time 0s
  10.           prefix info option (3), length 32 (4): 2001:660:4501:3201::/64, Flags [onlink, auto], valid time 0s, pref. time 0s

This counter measure succeeds in keeping the bogus prefix out of the routing tables.