Latest version: 2.1.0

NDPMon in the press

Downloads

Documentation

Plugins

Training

Community

edit SideBar

Rogue Neighbor Advertisements

NA Router flag

We send a Neighbor Advertisement (NA) for a regular host but set the router flag to 1.

  1. na_router = Ether(src="02:fd:00:00:03:01")/IPv6(src="fe80::fd:ff:fe00:301", dst="ff02::1")/ICMPv6ND_NA(tgt="fe80::fd:ff:fe00:301", R=1)

This can mean that connection sharing may have been activated under windows, usually is followed by rogue RAs.

NDPMon detects the NA has been send by a non-legitimate router and raises a NA router flag alert

  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: NA router flag 2:fd:0:0:3:1 fe80:0:0:0:fd:ff:fe00:301
  3. Date: Mon,  9 Jul 2012 17:26:38 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  :NA router flag
  7. MAC:     :2:fd:0:0:3:1
  8. MAC2:    :n/a
  9. IPv6:    :fe80::fd:ff:fe00:301
  10. DNS:     :n/a

NA Override flag

We send a Neighbor Advertisement (NA) with Override flag set to 1 and no Target Link layer Addr option.

  1. na_no_tgtlla = Ether(src="02:fd:00:00:03:01")/IPv6(src="fe80::fd:ff:fe00:301", dst="ff02::1")/ICMPv6ND_NA(tgt="fe80::fd:ff:fe00:301", O=1, R=0)

NDPMon detects the NA is missing an option and should not override the cache entry, and raises a NA Override flag alert

  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: NA Override flag:fd:0:0:3:1 fe80:0:0:0:fd:ff:fe00:301 fe80:0:0:0:fd:ff:fe00:301
  3. Date: Thu, 12 Jul 2012 10:13:40 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  NA Override flag
  7. MAC:     2:fd:0:0:3:1
  8. Vendor:  unknown
  9. MAC2:    n/a
  10. Vendor2: n/a
  11. IPv6:    fe80::fd:ff:fe00:301
  12. DNS:     n/a

NA multicast target

We send a Neighbor Advertisement (NA) with a multicast address as target

  1. fake_advertise6 eth1 ff02::1:ff00:701 ff02::1 02:fd:00:00:07:01 fe80::fd:ff:fe00:701

NDPMon detects the rogue NA and raises a '''NA multicast target' alert

  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: NA multicast target 2:fd:0:0:7:1 fe80:0:0:0:fd:ff:fe00:701 ff02:0:0:0:0:1:ff00:701
  3. Date: Tue, 10 Jul 2012 16:43:55 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  NA multicast target
  7. MAC:     2:fd:0:0:7:1
  8. Vendor:  unknown
  9. MAC2:    n/a
  10. Vendor2: n/a
  11. IPv6:    fe80::fd:ff:fe00:701
  12. DNS:     n/a