- NDPMon
-
NDPMon (Neighbor Discovery Protocol Monitor) is a tool for working with ICMPv6 packets. NDPMon observes the local network to see if nodes using neighbor discovery messages behave properly. When it detects a suspicious Neighbor Discovery message, it notifies the administrator by writing in the syslog and in some cases by sending an email report or by using a user defined script. NDPMon is an equivalent of Arpwatch for IPv6. It has the same features, but includes also Neighbor Discovery specificities, in terms of messages and attacks against this protocol.
NDPMon runs under most Linux distributions, Mac OS X, FreeBSD (available as port), NetBSD et OpenBSD. It uses a configuration file containing the expected and valid behavior for nodes and routers on the link. This includes the routers addresses (MAC and IP) and the prefixes announced. NDPMon also maintains up-to-date a list of neighbors on the link.
Alerts and reports
The alerts and reports generated by NDPMon are:
- wrong couple MAC/IP: the MAc address is valid, so is the IP, but not both of them together
- wrong router MAC: invalid MAC address
- wrong router IP: invalid IP address
- wrong prefix: invalid IPv6 prefix
- wrong router redirect: the router which emitted the redirect is not valid
- router flag in Neighbor Advertisement: a node not declared as a router announced itself as one
- Duplicate Address Detection DOS: duplicate address detection denial of service
- flip flop: a node uses two MAC addresses one after the other
- reused old Ethernet address: reuse of an old MAC address
- Unknown MAC MAnufacturer: MAC vendor unknown, might be a forged one
- new station: new node on the link
- new IPv6 Global Address: new IPv6 Global address for a node
- new IPv6 Link Local Address: new IPv6 Link Local address for a node
- Ethernet mismatch
- IP Multicast
- Ethernet Broadcast
References
This free software-related article is a stub. You can help Wikipedia by expanding it.
