NDPMon iconNDPMon 1.3c

NDPMon is an IPv6 neighbor discovery protocol monitor.
NDPMon is an IPv6 neighbor discovery protocol monitor.

NDPMon is an equivalent of ArpWatch for IPv6 and was developped during the summer 2006 by a engineer student, Thibault Cholez, during an internship for the MADYNES Project, a research team from the LORIA - INRIA Lorraine in France.

NDPMon, Neighbor Discovery Protocol Monitor, is a tool working with ICMPv6 packets. NDPMon observes the local network to see if nodes using neighbor discovery messages behave properly. When it detects a suspicious Neighbor Discovery message, it notifies the administrator by writing in the syslog and in some cases by sending an email report.

NDPMon is very similar to ArpWatch concerning reported activities and erroneous configurations, but it also provides new features, specific to the Neighbor Discovery protocol, for which it detects attacks, which could harm the network. Different kinds of activities can be detected:

Reported Activities

wrong couple MAC/IP
wrong router MAC
wrong router IP
wrong prefix
wrong router redirect
router flag in Neighbor Advertisment: NDPMon is carefull about nodes sending router advertisments - only nodes specified to be official routers in the configuration file can send one.
Duplicate Address Detection DOS
flip flop
reused old ethernet address: other kinds of malicious behaviors

Sysloged Activities

Unknown MAC MAnufacturer
new station
new IPv6 Global Address
new Link Local Address
wrong couple MAC/IP
wrong router MAC
wrong router IP
wrong prefix
wrong router redirect
wrong ipv6 router: if neither the Link Local Address and the MAC address are known for a RA
wrong RA flags: if the managed and other flags in the RA are not well set
wrong source link address option: the MAC address in the Link Adress option does not match with the Ethernet source address
wrong ipv6 hop limit: IPv6 Hop Limit is not 255
wrong RA lifetimes: preferred lifetime is bigger than the valid lifetime
RA valid lifetime too short: valid lifetime is less than 2 hours
router flag in Neighbor Advertisment: NDPMon is carefull about nodes sending router advertisments - only nodes specified to be official routers in the configuration file can send one.
Duplicate Address Detection DOS
flip flop
reused old ethernet address: other kinds of malicious behaviors
Ethernet mismatch
IP Multicast
Ethernet Broadcast

NDPMon can also be launch with an option disabling reports. This learning phase allows to build the neighbor database during the first execution without raising unappropriate warnings.

The NDPMon software is implemented in C language. It uses libpcap to get and filter neighbor discovery packets and does after different tests. Two XML files are used :

The first file contains configuration settings like official routers settings or the email address of the admin.
The second file (that behaves like a cache) contains the list of all neighbors seen by NDPMon on the local network. This cache keeps the IP address, MAC address, and the last time of activity for each node. This list is updated automaticaly during the execution and saved on disk.

last updated on:
November 9th, 2007, 15:09 GMT
price:
FREE!
developed by:
Frederic Beck
license type:
GPL (GNU General Public License) 
category:
ROOT \ System \ Networking

FREE!

In a hurry? Add it to your Download Basket!

user rating 13

UNRATED
2.8/5
 

0/5

1 Screenshot
NDPMon

Add your review!

SUBMIT