Latest version: 2.1.0

NDPMon in the press

Downloads

Documentation

Plugins

Training

Community

edit SideBar

Rogue Router Advertisements

We have declared 2 legitimate routers in NDPMon:

  • router1 - MAC 02:fd:00:00:01:02 - LLA fe80::fd:ff:fe00:102 - IPv6 Prefix fd75:7c74:2274:1::/64
  • another router (not really present) called router2 - MAC 02:fd:00:00:0a:0b - LLA fe80::fd:ff:fe00:a0b - IPv6 Prefix fd75:7c74:2274:ab::/64

The rogue RAs are sent by using scapy. To forge and send a valid RA for router1, we use the following commands

  1. ra = Ether(src="02:fd:00:00:01:02")/IPv6(src="fe80::fd:ff:fe00:102", dst="ff02::1")/ICMPv6ND_RA()/ICMPv6NDOptPrefixInfo(prefix="fd75:7c74:2274:1::", prefixlen=64)/ICMPv6NDOptSrcLLAddr(lladdr="02:fd:00:00:01:02")
  2. sendp(ra, loop=0, inter=3)

Note: The volative_parameters in the configuration is set to 1

Details about the forged RA can be obtained with the summary and display methods:

  1. >>> ra
  2. <Ether  src=02:fd:00:00:01:02 type=0x86dd |<IPv6  nh=ICMPv6 hlim=255 src=fe80::fd:ff:fe00:102 dst=ff02::1 |<ICMPv6ND_RA  |<ICMPv6NDOptPrefixInfo  prefixlen=64 prefix=fd75:7c74:2274:1:: |<ICMPv6NDOptSrcLLAddr  lladdr=02:fd:00:00:01:02 |>>>>
  3.  
  4. >>> ra.summary()
  5. 'Ether / IPv6 / ICMPv6ND_RA / ICMPv6NDOptPrefixInfo / ICMPv6 Neighbor Discovery Option - Source Link-Layer Address 02:fd:00:00:01:02'
  6.  
  7. >>> ra.display()
  8. ###[ Ethernet ]###
  9.   dst= 33:33:00:00:00:01
  10.   src= 02:fd:00:00:01:02
  11.   type= 0x86dd
  12. ###[ IPv6 ]###
  13.      version= 6
  14.      tc= 0
  15.      fl= 0
  16.      plen= None
  17.      nh= ICMPv6
  18.      hlim= 255
  19.      src= fe80::fd:ff:fe00:102
  20.      dst= ff02::1
  21. ###[ ICMPv6 Neighbor Discovery - Router Advertisement ]###
  22.         type= Router Advertisement
  23.         code= 0
  24.         cksum= None
  25.         chlim= 0
  26.         M= 0
  27.         O= 0
  28.         H= 0
  29.         prf= High
  30.         P= 0
  31.         res= 0
  32.         routerlifetime= 1800
  33.         reachabletime= 0
  34.         retranstimer= 0
  35. ###[ ICMPv6 Neighbor Discovery Option - Prefix Information ]###
  36.            type= 3
  37.            len= 4
  38.            prefixlen= 64
  39.            L= 1
  40.            A= 1
  41.            R= 0
  42.            res1= 0
  43.            validlifetime= 0xffffffffL
  44.            preferredlifetime= 0xffffffffL
  45.            res2= 0x0
  46.            prefix= fd75:7c74:2274:1::
  47. ###[ ICMPv6 Neighbor Discovery Option - Source Link-Layer Address ]###
  48.               type= 1
  49.               len= 1
  50.               lladdr= 02:fd:00:00:01:02

wrong router mac

We send a RA with an invalid MAC address

  1. ra_wrong_mac = Ether(src="02:fd:00:00:01:FF")/IPv6(src="fe80::fd:ff:fe00:102", dst="ff02::1")/ICMPv6ND_RA()/ICMPv6NDOptPrefixInfo(prefix="fd75:7c74:2274:1::", prefixlen=64)/ICMPv6NDOptSrcLLAddr(lladdr="02:fd:00:00:01:02")

NDPMon detects the rogue RA and raises a wrong router mac alert

  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: wrong router mac 2:fd:0:0:1:ff fe80:0:0:0:fd:ff:fe00:102
  3. Date: Mon,  9 Jul 2012 16:43:35 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  :wrong router mac
  7. MAC:     :2:fd:0:0:1:ff
  8. MAC2:    :n/a
  9. IPv6:    :fe80::fd:ff:fe00:102
  10. DNS:     :n/a

On top of that, as the MAC addresses in the Ethernet header source address field, and in RA option SourceLLAddr differ, NDPMon raises an ethernet mismatch error

  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: ethernet mismatch 2:fd:0:0:1:2 2:fd:0:0:1:ff fe80:0:0:0:fd:ff:fe00:102
  3. Date: Mon,  9 Jul 2012 16:43:35 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  :ethernet mismatch
  7. MAC:     :2:fd:0:0:1:ff
  8. MAC2:    :2:fd:0:0:1:2
  9. IPv6:    :fe80::fd:ff:fe00:102
  10. DNS:     :n/a

wrong router ip

We send a RA with an invalid IP address

  1. ra_wrong_ip = Ether(src="02:fd:00:00:01:02")/IPv6(src="fe80::fd:ff:fe00:456", dst="ff02::1")/ICMPv6ND_RA()/ICMPv6NDOptPrefixInfo(prefix="fd75:7c74:2274:1::", prefixlen=64)/ICMPv6NDOptSrcLLAddr(lladdr="02:fd:00:00:01:02")

NDPMon detects the rogue RA and raises a wrong router ip alert

  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: wrong router ip 2:fd:0:0:1:2 fe80:0:0:0:fd:ff:fe00:456
  3. Date: Mon,  9 Jul 2012 16:47:00 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  :wrong router ip
  7. MAC:     :2:fd:0:0:1:2
  8. MAC2:    :n/a
  9. IPv6:    :fe80::fd:ff:fe00:456
  10. DNS:     :n/a

wrong prefix

We send a RA with an invalid prefix advertized

  1. ra_wrong_prefix = Ether(src="02:fd:00:00:01:02")/IPv6(src="fe80::fd:ff:fe00:102", dst="ff02::1")/ICMPv6ND_RA()/ICMPv6NDOptPrefixInfo(prefix="fd75:7c74:2274:2::", prefixlen=64)/ICMPv6NDOptSrcLLAddr(lladdr="02:fd:00:00:01:02")

NDPMon detects the rogue RA and raises a wrong prefix alert

  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: wrong prefix fd75:7c74:2274:2 2:fd:0:0:1:2 fe80:0:0:0:fd:ff:fe00:102
  3. Date: Mon,  9 Jul 2012 16:51:37 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  :wrong prefix
  7. MAC:     :2:fd:0:0:1:2
  8. MAC2:    :n/a
  9. IPv6:    :fe80::fd:ff:fe00:102
  10. DNS:     :n/a

wrong couple MAC/IP

We defined 2 legitimate routers, and NDPMon checks that the source MAC and IP address used for sending RAs are legitimate. this inclues testing that they both belong to the same router. thus, we send a RA with a valid Ethernet address, and a valid IP source but from a different router:

  1. ra_wrong_couple = Ether(src="02:fd:00:00:01:02")/IPv6(src="fe80::fd:ff:fe00:a0b", dst="ff02::1")/ICMPv6ND_RA()/ICMPv6NDOptPrefixInfo(prefix="fd75:7c74:2274:ab::", prefixlen=64)/ICMPv6NDOptSrcLLAddr(lladdr="02:fd:00:00:0a:0b")

NDPMon detects the rogue RA and raises a wrong couple MAC/IP alert

  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: wrong couple IP/MAC 2:fd:0:0:1:2 fe80:0:0:0:fd:ff:fe00:a0b in RA
  3. Date: Mon,  9 Jul 2012 16:52:42 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  :wrong couple IP/MAC
  7. MAC:     :2:fd:0:0:1:2
  8. MAC2:    :n/a
  9. IPv6:    :fe80::fd:ff:fe00:a0b
  10. DNS:     :n/a