Latest version: 2.1.0

NDPMon in the press

Downloads

Documentation

Plugins

Training

Community

edit SideBar

Rogue Router Redirect

NDPMon only allows redirect messages from legitimate routers.

wrong router redirect

We send a rogue redirect

  1. redirect = Ether(src="02:fd:00:00:03:01")/IPv6(src="fe80::fd:ff:fe00:301", dst="ff02::1")/ICMPv6ND_Redirect(tgt="fe80::fd:ff:fe00:301", dst="fe80::1" )

NDPMon detects the rogue redirect and raises a alert

  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: wrong router redirect 2:fd:0:0:3:1 fe80:0:0:0:fd:ff:fe00:301
  3. Date: Mon,  9 Jul 2012 17:17:33 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  :wrong router redirect
  7. MAC:     :2:fd:0:0:3:1
  8. MAC2:    :n/a
  9. IPv6:    :fe80::fd:ff:fe00:301
  10. DNS:     :n/a

wrong router redirect mac

We send a rogue redirect with a wrong MAC address

  1. redirect_wrong_mac = Ether(src="02:fd:00:00:03:01")/IPv6(src="fe80::fd:ff:fe00:102", dst="ff02::1")/ICMPv6ND_Redirect(tgt="fe80::fd:ff:fe00:301", dst="fe80::1" )

NDPMon detects the rogue redirect and raises a wrong router redirect mac alert

  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: wrong router redirect mac 2:fd:0:0:3:1 fe80:0:0:0:fd:ff:fe00:102
  3. Date: Mon,  9 Jul 2012 17:18:41 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  :wrong router redirect mac
  7. MAC:     :2:fd:0:0:3:1
  8. MAC2:    :n/a
  9. IPv6:    :fe80::fd:ff:fe00:102
  10. DNS:     :n/a

wrong router redirect ip

We send a rogue redirect with modified IP address

  1. redirect_wrong_ip = Ether(src="02:fd:00:00:01:02")/IPv6(src="fe80::fd:ff:fe00:301", dst="ff02::1")/ICMPv6ND_Redirect(tgt="fe80::fd:ff:fe00:301", dst="fe80::1"

NDPMon detects the rogue redirect and raises a wrong router redirect ip alert

  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: wrong router redirect ip 2:fd:0:0:1:2 fe80:0:0:0:fd:ff:fe00:301
  3. Date: Mon,  9 Jul 2012 17:19:45 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  :wrong router redirect ip
  7. MAC:     :2:fd:0:0:1:2
  8. MAC2:    :n/a
  9. IPv6:    :fe80::fd:ff:fe00:301
  10. DNS:     :n/a

wrong couple IP/MAC in RD

We send a rogue redirect with legitimate MAC and Ip addresses but from different routers

  1. redirect_wrong_couple = Ether(src="02:fd:00:00:01:02")/IPv6(src="fe80::fd:ff:fe00:a0b", dst="ff02::1")/ICMPv6ND_Redirect(tgt="fe80::fd:ff:fe00:301", dst="fe80::1" )

NDPMon detects the rogue redirect and raises a wrong couple IP/MAC in RD alert

  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: wrong couple IP/MAC 2:fd:0:0:1:2 fe80:0:0:0:fd:ff:fe00:a0b in RD
  3. Date: Mon,  9 Jul 2012 17:20:46 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  :wrong couple IP/MAC in RD
  7. MAC:     :2:fd:0:0:1:2
  8. MAC2:    :n/a
  9. IPv6:    :fe80::fd:ff:fe00:a0b
  10. DNS:     :n/a
  11.