283
ND attack defense configuration
Introduction to ND attack defense
The IPv6 Neighbor Discovery (ND) protocol provides rich functions, such as address resolution, neighbor
reachability detection, duplicate address detection, router/prefix discovery and address
autoconfiguration, and redirection. However, it does not provide any security mechanisms. Attackers can
easily exploit the ND protocol to attack hosts and gateways by sending forged packets.
The ND protocol implements its function by using the following types of ICMPv6 messages:
ï‚· Neighbor Solicitation (NS)
ï‚· Neighbor Advertisement (NA)
ï‚· Router Solicitation (RS)
ï‚· Router Advertisement (RA)
ï‚· Redirect (RR)
An attacker can attack a network by sending forged ICMPv6 messages, as shown in Figure 89:
ï‚· Sends forged NS/NA/RS packets with the IPv6 address of a victim host. The gateway and other
hosts update the ND entry for the victim host with incorrect address information. As a result, all
packets intended for the victim host are sent to the attacking host rather than the victim host.
ï‚· Sends forged RA packets with the IPv6 address of a victim gateway. As a result, all hosts attached to
the victim gateway maintain incorrect IPv6 configuration parameters and ND entries.
Figure 89 ND attack diagram
Switch
Host A
Host B
IP_A
MAC_A
IP_B
MAC_B
IP_C
MAC_C
Host C
Forged ND packetsForged ND packets
All forged ND packets have two common features:
ï‚· The Ethernet frame header and the source link layer address option of the ND packet contain
different source MAC addresses.
To Next Page
Loading...
Need help?
General