[ipv6hackers] Neighbor advertisement router flag

Fernando Gont fgont at si6networks.com
Mon Apr 15 11:23:58 CEST 2013

Hi, Marc,

This one is described in Section 3.4 of

---- cut here ----
   The R flag is the Router flag, and is used by Neighbor Unreachability
   Detection (NUD).  When set, it indicates that the sender is a router.
   An attacker could forge a Neighbor Advertisement message with the
   Router flag cleared to cause the receiving node to remove the
   impersonated Router from the Default router list.
---- cut here ----

and more thoroughly in Section 3.6 of

---- cut here ----
3.6. DoS attack by removing a router from the routing table by means of
Neighbor Advertisement messages


This attack at removing a router from the routing table of the attacked
system by means of Neighbor Advertisement messages. Basically, an
attacker responds to Neighbor Solicitations that have a Target Address
equal to the IPv6 address of the victim router with a Neighbor
Advertisement that contains the “Router” flag set to zero. This fools
the receiving system into believing that the victim router has ceased to
operate as a router.


# ./na6 –i attacker_nic -s victim_ip -Z victim_ip –e -L


A possible mitigation for this attack could be for hosts to not remove
the router if a Neighbor Advertisement is received from a “router”
without the “Router” flag set. In the event the flag was legitimately
indicating that the sender of the Neighbor Advertisement has ceased to
act as a router, loss indication from the upper-layer protocols could
instruct the internet-layer to remove such router from the list of
default routers.
---- cut here ----


On 04/15/2013 02:05 AM, Marc Heuse wrote:
> I guys,
> in a training, one of the attendees spotted something special in the RFC
> I had overseen so far - this is another easy way to remove the valid
> default gateway. I do not want to take credit for this, so with his OK,
> I forward his email. Enjoy!
> (some might know maybe, I did not :-) )
> Greets,
> Marc
> -------- Original Message --------
> Subject: 	Neighbor advertisement router flag
> Date: 	Sun, 14 Apr 2013 14:54:46 +0200
> From: 	Hendrik Schimmelpenninck <hendrik at svdo.nl>
> To: 	mh at mh-sec.de
> Hi Marc,
> Inspired after your training, I did some testing with the
> neighbor advertisement router flag that we discussed earlier. I was able
> to reproduce the behaviour that the RFC 4861 describes in 7.2.5 II.
> After sending a (unsolicited) neighbor advertisement for the current
> default router with the router set to false, both Ubuntu 12.04 and
> Windows 7 remove the router from the default router list.
> I thought this could make a good addition to kill_router6, for when the
> RA lifetime 0 attack might not work. I would like to add it to your
> code, but I am not familiar enough with C and your framework yet. I will
> try and get into your code, but it will probably take a while. Also,
> I'll have some other operating systems to test it on next week.
> Thanks again for the training, I had a blast!
> Regards,
> Hendrik
> --
> Marc Heuse
> www.mh-sec.de
> PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list