Latest version: 2.1.0
If NDPMon notes a changed ethernet address or a flip flop between two ethernet addresses, we assume the address seen first to be right.
This counter measure sends a neighbor advertisement giving the right mac in order to set the neighbor cache entry of the victim at all hosts to STALE, re-initiating Neighbor Unreachability Detection.
The following faked advertisement was created by a thc-ipv6 tool:
NDPMon noted that the ethernet address of shikamaru had changed:
tcpdump captured the faked NA as well as the counter measure.
We may not see a result of this counter measure in the routing tables, because as long as the host whose mac is to be faked responds to Neighbor Solicitations, the attack does not work.
When the attack was performed with the thc-ipv6 tool parasite running, the counter measure kept all entries of the routing table in STALE state. At least the attacker won't be able to intercept any network traffic.