Latest version: 2.1.0

NDPMon in the press

Downloads

Documentation

Plugins

Training

Community

edit SideBar

Rogue Router Advertisements DNS Options

We have configured NDPMon to expect 2 nameservers fd75:7c74:2274:1::53 and fd75:7c74:2274:1::5353 with 900 seconds lifetime, and the domain testbed.localdomain with 1000 seconds lifetime.

wrong RA RDNSS option

We send a RA advertising a wrong DNS server fd75:7c74:2274:1::53:53:

  1. ra_rdnss = Ether(src="02:fd:00:00:01:02")/IPv6(src="fe80::fd:ff:fe00:102", dst="ff02::1")/ICMPv6ND_RA(chlim=64, routerlifetime=30528, prf=0)/ICMPv6NDOptPrefixInfo(prefix="fd75:7c74:2274:1::", prefixlen=64, R=1, validlifetime=2592000, preferredlifetime=604800)/ICMPv6NDOptSrcLLAddr(lladdr="02:fd:00:00:01:02")/ICMPv6NDOptRDNSS(lifetime=900, dns=["fd75:7c74:2274:1::53", "fd75:7c74:2274:1::5353"])/ICMPv6NDOptRDNSS(lifetime=600, dns=["fd75:7c74:2274:1::53:53"])

When receiving the rogue RA, NDPMon complained about an advertised nameserver different from what it learned during learning phase:

  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: wrong RA RDNSS option: fd75:7c74:2274:1:0:0:53:53 600
  3. Date: Fri, 20 Jul 2012 11:22:44 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  wrong RA RDNSS option
  7. MAC:     2:fd:0:0:1:2
  8. Vendor:  unknown
  9. MAC2:    n/a
  10. Vendor2: n/a
  11. IPv6:    fe80::fd:ff:fe00:102
  12. DNS:     n/a

wrong RA DNSSL option

Scapy6 extension

Scapy6 supports RDNSS extension, but not DNSSL. A basic support for this option has been added by modifying the file scapy/layers/inet6.py and applying the following patch:

  1. --- scapy/layers/inet6.py.orig  2009-11-06 11:56:46.000000000 +0100
  2. +++ scapy/layers/inet6.py       2012-07-20 11:53:02.494787759 +0200
  3. @@ -1369,7 +1369,8 @@
  4.                 23: "MAP Option",          # RFC 4140
  5.                 24: "Route Information Option",  # RFC 4191
  6.                 25: "Recusive DNS Server Option",
  7. -               26: "IPv6 Router Advertisement Flags Option"
  8. +               26: "IPv6 Router Advertisement Flags Option",
  9. +               31: "DNS Search List Option",
  10.                  }
  11.  
  12.  icmp6ndoptscls = { 1: "ICMPv6NDOptSrcLLAddr",
  13. @@ -1399,7 +1400,8 @@
  14.                    23: "ICMPv6NDOptMAP",
  15.                    24: "ICMPv6NDOptRouteInfo",
  16.                    25: "ICMPv6NDOptRDNSS",
  17. -                  26: "ICMPv6NDOptEFA"
  18. +                  26: "ICMPv6NDOptEFA",
  19. +                  31: "ICMPv6NDOptDNSSL"
  20.                    }
  21.  
  22.  class _ICMPv6NDGuessPayload:
  23. @@ -1636,6 +1638,15 @@
  24.                      IP6ListField("dns", [],
  25.                                   length_from = lambda pkt: 8*(pkt.len-1)) ]
  26.  
  27. +class ICMPv6NDOptDNSSL(_ICMPv6NDGuessPayload, Packet): # RFC 6106
  28. +    name = "ICMPv6 Neighbor Discovery Option - DNS Search List Option"
  29. +    fields_desc = [ ByteField("type", 31),
  30. +                   ByteField("len", 3),
  31. +                   #FieldLenField("len", None, length_of="search", adjust=lambda pkt,x:x+8),
  32. +                    ShortField("res", None),
  33. +                    IntField("lifetime", 0xffffffff),
  34. +                   StrLenField("search", default="inria.fr\0000000", length_from=lambda pkt: (pkt.len+8)/8 ) ]
  35. +
  36.  class ICMPv6NDOptEFA(_ICMPv6NDGuessPayload, Packet): # RFC 5175 (prev. 5075)
  37.      name = "ICMPv6 Neighbor Discovery Option - Expanded Flags Option"
  38.      fields_desc = [ ByteField("type", 26),

Testing it

We have configured NDPMon to expect the domain inira.fr with a 900 seconds lifetime and send the following RA advertising loria.fr as well:

  1. ra_dnssl3 = Ether(src="02:fd:00:00:01:02")/IPv6(src="fe80::fd:ff:fe00:102", dst="ff02::1")/ICMPv6ND_RA(chlim=64, routerlifetime=30528, prf=0)/ICMPv6NDOptPrefixInfo(prefix="fd75:7c74:2274:1::", prefixlen=64, R=1, validlifetime=2592000, preferredlifetime=604800)/ICMPv6NDOptSrcLLAddr(lladdr="02:fd:00:00:01:02")/ICMPv6NDOptDNSSL(len=4,lifetime=900,search="inria.fr\0loria.fr\0\0\0\0\0\0\0")

At reception, NDPMon detects a wrong domain name was advertised in the search list and raises an alert:

  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: wrong RA DNSSL option: loria.fr 900
  3. Date: Fri, 20 Jul 2012 12:13:48 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  wrong RA DNSSL option
  7. MAC:     2:fd:0:0:1:2
  8. Vendor:  unknown
  9. MAC2:    n/a
  10. Vendor2: n/a
  11. IPv6:    fe80::fd:ff:fe00:102
  12. DNS:     n/a