Latest version: 2.1.0

NDPMon in the press

Downloads

Documentation

Plugins

Training

Community

edit SideBar

Ethernet related alerts

DAD DoS

Using thc-ipv6, we launch a DoS attack against the Duplicate Address Detection (DAD) procedure.

On the attacker, we launch the dos-new-ip6 tool:

  1. root@attacker:~
  2. # dos-new-ip6 eth1
  3. Started ICMP6 DAD Denial-of-Service (Press Control-C to end) ...
  4. Spoofed packet for existing ip6 as fd75:7c74:2274:1:fd:ff:fe00:401
  5. Spoofed packet for existing ip6 as fe80::fd:ff:fe00:401
  6. Spoofed packet for existing ip6 as fd75:7c74:2274:1:fd:ff:fe00:401
  7. Spoofed packet for existing ip6 as fd75:7c74:2274:1:fd:ff:fe00:401
  8. Spoofed packet for existing ip6 as fd75:7c74:2274:1:fd:ff:fe00:401
  9. ^C

Note: To make sure to intercept all packets, set the interface in promiscuous mode (ifconfig eth1 promisc)

Note 2: Otherwise, you can run tcpdump in parallel (e.g. tcpdump -i eth1 icmp6) and observe the attack

In the meanwhile, we trigger a DAD procedure on host1 by setting the iterface down and up again:

  1. root@host1:~
  2. # ifdown eth1
  3. root@host1:~
  4. # ifup eth1
  5. ssh stop/waiting
  6. ssh start/running, process 1533

Warning: As the SSH server will be stopped when the interface goes down, be sure to run these commands in a serial console.

Note: We can verify that the DAD is successful by verifying the state of the address we try to validate:

  1. root@host1:~
  2. # ip -6 addr show
  3. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
  4.     inet6 ::1/128 scope host
  5.        valid_lft forever preferred_lft forever
  6. 2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
  7.     inet6 fe80::fd:ff:fe00:401/64 scope link tentative dadfailed
  8.        valid_lft forever preferred_lft forever

The link local address is in tentative dadfailed state.

NDPMon detects the attack and raises dad dos alerts

  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: dad dos 2:fd:1f:c3:9d:4e fe80::fd:ff:fe00:401
  3. Date: Mon,  9 Jul 2012 14:48:10 +0200 (CEST)
  4. From: root@ndpmon (root)
  5.  
  6. Reason:  :dad dos
  7. MAC:     :2:fd:1f:c3:9d:4e
  8. MAC2:    :n/a
  9. IPv6:    :fe80::fd:ff:fe00:401
  10. DNS:     :n/a

Ethernet addresses changing

Besides this DoS, NDPMon also monitors Ethernet addresses over time. Let's take the example os host1 with Ethernet address 02:fd:00:00:04:01 and Link Local Address (LLA) fe80::fd:ff:fe00:401.

With the thc-ipv6 tool fake_advertise6 we will advertise Ethernet addresses for that host. To send a Neighbor Advertisement (NA) with valid parameters, we use the following command:

  1. root@attacker:~
  2. # fake_advertise6 eth1 fe80::fd:ff:fe00:401 ff02::1 02:fd:00:00:04:01

Changed Ethernet address

Such an alert is raised when a node's Ethernet address changes. In our example, we advertise a new Etherner address 02:fd:00:00:04:10.

  1. root@attacker:~
  2. # fake_advertise6 eth1 fe80::fd:ff:fe00:401 ff02::1 02:fd:00:00:04:10

NDPMon detects the change in Ethernet addresses and raises a changed ethernet address alert.

  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: changed ethernet address 2:fd:0:0:4:1 to 2:fd:0:0:4:10 fe80::fd:ff:fe00:401
  3. Date: Mon,  9 Jul 2012 15:52:55 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  :changed ethernet address
  7. MAC:     :2:fd:0:0:4:1
  8. MAC2:    :2:fd:0:0:4:10
  9. IPv6:    :fe80::fd:ff:fe00:401
  10. DNS:     :n/a

Reused old Ethernet address

We trigger various changed ethernet address alerts for MAC 02:fd:00:00:04:10, 02:fd:00:00:04:20 and 02:fd:00:00:04:30. NDPMon keeps track of all the Ethernet addresses used by a host.

Let's say that the address currently used is 02:fd:00:00:04:30 and we advertise an old one, 02:fd:00:00:04:10

  1. root@attacker:~
  2. # fake_advertise6 eth1 fe80::fd:ff:fe00:401 ff02::1 02:fd:00:00:04:10

NDPMon detects that this address has already been seen in the past and raises an alert reused old ethernet address

  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: reused old ethernet address 2:fd:0:0:4:10 instead of 2:fd:0:0:4:30 for fe80::fd:ff:fe00:401
  3. Date: Mon,  9 Jul 2012 15:57:00 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  :reused old ethernet address
  7. MAC:     :2:fd:0:0:4:10
  8. MAC2:    :2:fd:0:0:4:30
  9. IPv6:    :fe80::fd:ff:fe00:401
  10. DNS:     :n/a

Flip flop

When Ethernet addresses change, NDPMon keeps track of the used addresses, but also marks the last used address to detect flip flops.

Thus, with the previous example, if we advertise again 02:fd:00:00:04:30

  1. root@attacker:~
  2. # fake_advertise6 eth1 fe80::fd:ff:fe00:401 ff02::1 02:fd:00:00:04:30

NDPMon raises a flip flop alert

  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: flip flop between 2:fd:0:0:4:10 and 2:fd:0:0:4:30 for fe80::fd:ff:fe00:401
  3. Date: Mon,  9 Jul 2012 16:01:30 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  :flip flop
  7. MAC:     :2:fd:0:0:4:30
  8. MAC2:    :2:fd:0:0:4:10
  9. IPv6:    :fe80::fd:ff:fe00:401
  10. DNS:     :n/a