 | NDPMonNDPMon is an IPv6 neighbor discovery protocol monitor. |
| Download | |
NDPMon Ranking & Summary
Advertisement
NDPMon Tags
NDPMon Description
NDPMon is an IPv6 neighbor discovery protocol monitor. NDPMon is an IPv6 neighbor discovery protocol monitor.NDPMon is an equivalent of ArpWatch for IPv6 and was developped during the summer 2006 by a engineer student, Thibault Cholez, during an internship for the MADYNES Project, a research team from the LORIA - INRIA Lorraine in France.NDPMon, Neighbor Discovery Protocol Monitor, is a tool working with ICMPv6 packets. NDPMon observes the local network to see if nodes using neighbor discovery messages behave properly. When it detects a suspicious Neighbor Discovery message, it notifies the administrator by writing in the syslog and in some cases by sending an email report.NDPMon is very similar to ArpWatch concerning reported activities and erroneous configurations, but it also provides new features, specific to the Neighbor Discovery protocol, for which it detects attacks, which could harm the network. Different kinds of activities can be detected:Reported Activities· wrong couple MAC/IP· wrong router MAC· wrong router IP· wrong prefix· wrong router redirect· router flag in Neighbor Advertisment: NDPMon is carefull about nodes sending router advertisments - only nodes specified to be official routers in the configuration file can send one.· Duplicate Address Detection DOS· flip flop· reused old ethernet address: other kinds of malicious behaviorsSysloged Activities· Unknown MAC MAnufacturer· new station· new IPv6 Global Address· new Link Local Address· wrong couple MAC/IP· wrong router MAC· wrong router IP· wrong prefix· wrong router redirect· wrong ipv6 router: if neither the Link Local Address and the MAC address are known for a RA· wrong RA flags: if the managed and other flags in the RA are not well set· wrong source link address option: the MAC address in the Link Adress option does not match with the Ethernet source address· wrong ipv6 hop limit: IPv6 Hop Limit is not 255· wrong RA lifetimes: preferred lifetime is bigger than the valid lifetime· RA valid lifetime too short: valid lifetime is less than 2 hours· router flag in Neighbor Advertisment: NDPMon is carefull about nodes sending router advertisments - only nodes specified to be official routers in the configuration file can send one.· Duplicate Address Detection DOS· flip flop· reused old ethernet address: other kinds of malicious behaviors· Ethernet mismatch· IP Multicast· Ethernet BroadcastNDPMon can also be launch with an option disabling reports. This learning phase allows to build the neighbor database during the first execution without raising unappropriate warnings.The NDPMon software is implemented in C language. It uses libpcap to get and filter neighbor discovery packets and does after different tests. Two XML files are used : · The first file contains configuration settings like official routers settings or the email address of the admin.· The second file (that behaves like a cache) contains the list of all neighbors seen by NDPMon on the local network. This cache keeps the IP address, MAC address, and the last time of activity for each node. This list is updated automaticaly during the execution and saved on disk.
NDPMon Related Software