Latest version: 2.1.0

NDPMon in the press

Downloads

Documentation

Plugins

Training

Community

edit SideBar

CounterMeasure cm_propagate_router_params

Description

If NDPMon captures a Router Advertisement from a legitimate router but the params of the RA do not correspond to those stored in the router list we assume this to be a bogus parameter attack. Examples for such an attack include crush_hoplimit in case of lowering the hop limit or kill_legitimate_router in case of a zero value in the RA's router lifetime field.

The counter measure reacts to this attack by sending a RA for the legitimate router with all parameters set according to those stored in the router list entry. We make the assumption that RA parameters are not re-configured by the administrator once NDPMon has finished it's learning phase.

This ensures that hosts listening on the link:

  • set all RA params overidden by the bogus RA (such as curhoplimit etc.) to their former correct values.

Test

This counter measure was tested with the crushhoplimit attack:

  1. ./imitate_router6 eth0 crushhoplimit
  2.  
  3. Detected Router with address: fe80:0000:0000:0000:0204:75ff:febe:e938
  4.                     lifetime: 10800
  5.                  curhoplimit: 64
  6.                   and prefix: 2001:660:4501:3202/64
  7. Spoofing very low TTL (1) Router Advertisments for the detected router...
  8. (Press Strg+C to stop.)
  9.     Spoofed very low TTL (1) Router Advertisment.

NDPMon complained about several params of this router not matching those learned during learning phase:

  1. ----- ND_ROUTER_ADVERT -----
  2. Reset timer for 0:4:75:be:e9:38 fe80:0:0:0:204:75ff:febe:e938
  3. Warning: wrong RA param: curhoplimit 1
  4. Sending mail alert ...
  5. Warning: wrong RA param: reachable_timer 16384000
  6. Sending mail alert ...
  7. Warning: wrong RA param: retrans_timer 1966080
  8. Sending mail alert ...
  9. [counter-measures]: Sent propagate params router advertisement for wrong params.
  10. ------------------
  11.  
  12. ---- ICMP packet ----
  13. [counter-measures]: Packet dropped as it is a NDPMon counter measure.
  14. ------------------

This is the attacker's RA with the faked parameters and the counter measure RA:

  1. 09:20:17.676478 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 64)
  2.   fe80::204:75ff:febe:e938 > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 64
  3.         hop limit 1, Flags [none], pref medium, router lifetime 10800s, reachable time 16384000s, retrans time 1966080s
  4.           mtu option (5), length 8 (1):  1280
  5.           prefix info option (3), length 32 (4): 2001:660:4501:3202::/64, Flags [none], valid time 10800s, pref. time 10800s
  6.           source link-address option (1), length 8 (1): 00:04:75:be:e9:38
  7. 09:20:17.678610 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 16)
  8.   fe80::204:75ff:febe:e938 > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 16
  9.         hop limit 64, Flags [none], pref medium, router lifetime 10800s, reachable time 0s, retrans time 0s

The counter measures succeeds in keeping the wrong paramater out of the routing tables.