Latest version: 2.1.0

NDPMon in the press

Downloads

Documentation

Plugins

Training

Community

edit SideBar

CounterMeasure cm_propagate_router_routes

Description

If NDPMon captures a Router Advertisement from a legitimate router (or believed so) but the params of the Route Information options do not correspond to those stored in the router list, it may be an attack to redirect compatible host towards false routers and perform man-in-the-middle attacks.

First, when a wrong Route Information option is detected, a RA is sent with 0 lifetime to deprecate this wrong announce, via the derived countermeasures cm_kill_wrong_route. This additional countermeasure follows the same politic and use the same guard as cm_propagate_router_routes.

Then, the countermeasure reacts to this attack by sending a RA for the legitimate router with all parameters set according to those stored in the router list entry. We make the assumption that RA parameters are not re-configured by the administrator once NDPMon has finished it's learning phase.

This ensures that all compatible hosts listening on the link reset their parameters to the intended ones.

Test

This counter measure was tested with scapy6:

  1. ra_ri_wrong_route = Ether(src="02:fd:00:00:01:02")/IPv6(src="fe80::fd:ff:fe00:102", dst="ff02::1")/ICMPv6ND_RA(chlim=64, routerlifetime=30528, prf=0)/ICMPv6NDOptPrefixInfo(prefix="fd75:7c74:2274:1::", prefixlen=64, R=1, validlifetime=2592000, preferredlifetime=604800)/ICMPv6NDOptSrcLLAddr(lladdr="02:fd:00:00:01:02")/ICMPv6NDOptRouteInfo(prf=8, rtlifetime=2592000, prefix="2001:db8:1111:2222::", plen=64)

We have configured NDPMon to expect 2 routes:

  • 2001:db8:1:2::/64 with preference 'High and a lifetime of 2592000'' seconds
  • 2001:db8:2:2::/64 with preference 'Low and a lifetime of 3600'' seconds

When receiving the previous RA, NDPMon complained about an advertised route different from what it learned during learning phase:

  1. ----- ND_ROUTER_ADVERT -----
  2. [alerts] Alert "wrong RA Route Info option" raised on probe "eth1".
  3. [countermeasures]: Sent zero lifetime RA for wrong route.
  4. [countermeasures]: Sent propagate params RA for wrong Route Info options.
  5. ------------------