Latest version: 2.1.0

NDPMon in the press






edit SideBar

CounterMeasure cm_propagate_neighbor_mac


If NDPMon notes a changed ethernet address or a flip flop between two ethernet addresses, we assume the address seen first to be right.

This counter measure sends a neighbor advertisement giving the right mac in order to set the neighbor cache entry of the victim at all hosts to STALE, re-initiating Neighbor Unreachability Detection.


The following faked advertisement was created by a thc-ipv6 tool:

  1. ./fake_advertise6 eth0 fe80::212:3fff:fe77:74ad fe80::20c:f1ff:fe82:4a10 00:12:3f:77:74:a0

NDPMon noted that the ethernet address of shikamaru had changed:

  1. ----- ND_NEIGHBOR_ADVERT -----
  2. Warning: changed ethernet address 0:12:3f:77:74:ad to 0:12:3f:77:74:a0 fe80:0:0:0:212:3fff:fe77:74ad
  3. Sending mail alert ...
  4. [counter-measures]: Sent neighbor advertisement propagating 0:12:3f:77:74:ad.
  5. ------------------
  7. ---- ICMP packet ----
  8. [counter-measures]: Packet dropped as it is a NDPMon counter measure.
  9. ------------------

tcpdump captured the faked NA as well as the counter measure.

  1. 16:49:33.564476 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32)
  2.   fe80::212:3fff:fe77:74ad > fe80::20c:f1ff:fe82:4a10:
  3.   [icmp6 sum ok] ICMP6, neighbor advertisement, length 32,
  4.   tgt is fe80::212:3fff:fe77:74ad, Flags [override]
  5.           destination link-address option (2), length 8 (1): 00:12:3f:77:74:a0
  6. 16:49:35.251855 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32)
  7.   fe80::212:3fff:fe77:74ad > ip6-allnodes:
  8.   [icmp6 sum ok] ICMP6, neighbor advertisement, length 32,
  9.   tgt is fe80::212:3fff:fe77:74ad, Flags [override]
  10.           destination link-address option (2), length 8 (1): 00:12:3f:77:74:ad

We may not see a result of this counter measure in the routing tables, because as long as the host whose mac is to be faked responds to Neighbor Solicitations, the attack does not work.

When the attack was performed with the thc-ipv6 tool parasite running, the counter measure kept all entries of the routing table in STALE state. At least the attacker won't be able to intercept any network traffic.