Latest version: 2.1.0

NDPMon in the press

Downloads

Documentation

Plugins

Training

Community

edit SideBar

CounterMeasure cm_propagate_router_dns

Description

If NDPMon captures a Router Advertisement from a legitimate router (or believed so) but the params of the DNS options do not correspond to those stored in the router list, it may be an attack to redirect compatible host towards false DNS servers and malicious hosts or servers via bogus name resolution.

First, when a wrong RDNSS or DNSSL option is detected, a RA is sent with 0 lifetime to deprecate this wrong announce, via the derived countermeasures cm_kill_wrong_nameserver and cm_kill_wrong_domain. These 2 additional countermeasures follow the same politic and use the same guard as cm_propagate_router_dns.

Then, the counter measure reacts to this attack by sending a RA for the legitimate router with all parameters set according to those stored in the router list entry. We make the assumption that RA parameters are not re-configured by the administrator once NDPMon has finished it's learning phase.

This ensures that all compatible hosts listening on the link reset their DNS parameters to the intended ones.

Test

This counter measure was tested with scapy6:

  1. ra_rdnss = Ether(src="02:fd:00:00:01:02")/IPv6(src="fe80::fd:ff:fe00:102", dst="ff02::1")/ICMPv6ND_RA(chlim=64, routerlifetime=30528, prf=0)/ICMPv6NDOptPrefixInfo(prefix="fd75:7c74:2274:1::", prefixlen=64, R=1, validlifetime=2592000, preferredlifetime=604800)/ICMPv6NDOptSrcLLAddr(lladdr="02:fd:00:00:01:02")/ICMPv6NDOptRDNSS(lifetime=900, dns=["fd75:7c74:2274:1::53", "fd75:7c74:2274:1::5353"])/ICMPv6NDOptRDNSS(lifetime=600, dns=["fd75:7c74:2274:1::53:53"])

We have configured NDPMon to expect 2 nameservers fd75:7c74:2274:1::53 and fd75:7c74:2274:1::5353 with 900 seconds lifetime. When receiving the previous RA, NDPMon complained about an advertised nameserver different from what it learned during learning phase:

  1. ----- ND_ROUTER_ADVERT -----
  2. [alerts] Alert "wrong RA RDNSS option" raised on probe "eth1".
  3. [countermeasures]: Sent zero lifetime RA for wrong nameserver.
  4. [countermeasures]: Sent propagate params RA for wrong DNS options.
  5. ------------------