The Neighbor Discovery Protocol Monitor (NDPMon) v-2.* released.

The Neighbor Discovery Protocol Monitor (NDPMon) is used by Internet Protocol version 6 network administrators for monitoring ICMPv6 packets. NDPMon observes the local network for anomalies in the function of nodes using Neighbor Discovery Protocol (NDP) messages, especially during the Stateless Address Autoconfiguration.

Platform : Bsd /Linux

When an NDP message is flagged, it notifies the administrator by writing to the syslog or by sending an email report. It may also execute a user-defined script. For IPv6, NDPMon is an equivalent of Arpwatch for IPv4, and has similar basic features with added attacks detection.

NDPMon also maintains up-to-date a list of neighbors on the link and watches all advertisements and changes. It permits to track the usage of cryptographically generated interface identifiers or temporary global addresses when Privacy extensions are enable (default behavior in Ubuntu and Windows for example).
NDPMon is very similar to ArpWatch concerning reported activities and erroneous configurations, but it also provides new features, specific to the Neighbor Discovery protocol, for which it detects attacks, which could harm the network. Different kinds of activities can be detected:
*Reported Activities:

  • wrong couple MAC/IP
  • wrong router MAC
  • wrong router IP
  • wrong prefix
  • wrong router redirect
  • router flag in Neighbor Advertisment: NDPMon is carefull about nodes sending router advertisments – only nodes specified to be official routers in the configuration file can send one.
  • Duplicate Address Detection DOS
  • flip flop
  • reused old ethernet address: other kinds of malicious behaviors

*Sysloged Activities :

  • Unknown MAC MAnufacturer
  • new station
  • new IPv6 Global Address
  • new Link Local Address
  • wrong couple MAC/IP
  • wrong router MAC
  • wrong router IP
  • wrong prefix
  • wrong router redirect
  • wrong ipv6 router: if neither the Link Local Address and the MAC address are known for a RA
  • wrong RA flags: if the managed and other flags in the RA are not well set
  • wrong source link address option: the MAC address in the Link Adress option does not match with the Ethernet source address
  • wrong ipv6 hop limit: IPv6 Hop Limit is not 255
  • wrong RA lifetimes: preferred lifetime is bigger than the valid lifetime
  • RA valid lifetime too short: valid lifetime is less than 2 hours
  • router flag in Neighbor Advertisment: NDPMon is carefull about nodes sending router advertisments – only nodes specified to be official routers in the configuration file can send one.
  • Duplicate Address Detection DOS
  • flip flop
  • reused old ethernet address: other kinds of malicious behaviors
  • Ethernet mismatch
  • IP Multicast
  • Ethernet Broadcast

Download version :
ndpmon_2.1.0.tar.gz (180.7 KB)
ndpmon_2.0.0.tar.gz (170.9 kB)
Find other Version  | http://sourceforge.net/projects/ndpmon/files/ndpmon/
Read more in here : http://ndpmon.sourceforge.net/