NDP Exploitation (IPv6)

Attack pattern

The Neighbour Discovery Protocol (NDP) is a core IPv6 protocol that replaces ARP and provides functions like address resolution, duplicate address detection (DAD), and router discovery. Its stateless and unauthenticated nature makes it vulnerable to spoofing, cache poisoning, and denial-of-service attacks. Attackers can exploit NDP to redirect traffic, intercept communications, or disrupt network operations.

1. Ndp exploitation [OR]

    1.1 Neighbour cache poisoning [OR]
    
        1.1.1 Spoofed neighbour advertisement (NA)
            1.1.1.1 Overriding legitimate entries in neighbour caches
            1.1.1.2 Redirecting traffic to attacker-controlled MAC addresses
            
        1.1.2 Gratuitous NA attacks
            1.1.2.1 Unsolicited NA messages to inject false bindings
            1.1.2.2 Persistent cache poisoning with periodic NA floods
            
        1.1.3 Neighbour solicitation (NS) spoofing
            1.1.3.1 Triggering unnecessary NA responses
            1.1.3.2 Forcing address resolution for non-existent targets
            
    1.2 Denial-of-service (DoS) [OR]
    
        1.2.1 Neighbour cache exhaustion
            1.2.1.1 Flooding with spoofed NS/NA messages
            1.2.1.2 Filling cache with invalid entries to disrupt communications
            
        1.2.2 Duplicate address detection (DAD) attacks
            1.2.2.1 Responding to DAD probes to prevent address assignment
            1.2.2.2 Causing address conflicts and host initialisation failures
            
        1.2.3 Router advertisement (RA) flooding
            1.2.3.1 Overwhelming routers with fake RAs
            1.2.3.2 Disrupting legitimate router advertisements and prefix assignments
            
    1.3 Man-in-the-middle (MitM) & interception [OR]
    
        1.3.1 Default gateway impersonation
            1.3.1.1 Spoofing router MAC addresses via NA messages
            1.3.1.2 Redirecting all traffic through attacker nodes
            
        1.3.2 Host impersonation
            1.3.2.1 Taking over IPv6 addresses of critical servers
            1.3.2.2 Intercepting sessions for SSH, HTTPS, or VoIP
            
        1.3.3 Redirect attack exploitation
            1.3.3.1 Sending ICMPv6 redirect messages to optimise malicious paths
            1.3.3.2 Bypassing security controls via route manipulation
            
    1.4 Reconnaissance & topology mapping [OR]
    
        1.4.1 Neighbour unreachability detection (NUD) exploitation
            1.4.1.1 Probing active hosts via NUD stimuli
            1.4.1.2 Mapping live IPv6 addresses and their MAC bindings
            
        1.4.2 Passive NA monitoring
            1.4.2.1 Sniffing NA messages to build network maps
            1.4.2.2 Identifying critical infrastructure targets
            
    1.5 Evasion & stealth techniques [OR]
    
        1.5.1 Extension header abuse
            1.5.1.1 Embedding malicious ND messages in hop-by-hop options
            1.5.1.2 Bypassing NDP inspection tools
            
        1.5.2 Low-rate attacks
            1.5.2.1 Slow poisoning to avoid detection thresholds
            1.5.2.2 Timing-based evasion of monitoring systems
            
    1.6 IoT & resource-constrained targeting [OR]
    
        1.6.1 Battery exhaustion attacks
            1.6.1.1 Forcing continuous ND activity on IoT devices
            1.6.1.2 Draining power via repeated DAD or NUD triggers
            
        1.6.2 Limited stack exploitation
            1.6.2.1 Crashing devices with malformed ND packets
            1.6.2.2 Abusing minimal ND implementations in embedded systems
            
    1.7 Cloud & virtualisation attacks [OR]
    
        1.7.1 Virtual switch exploitation
            1.7.1.1 Poisoning neighbour caches in hypervisors
            1.7.1.2 Breaking isolation between virtual machines
            
        1.7.2 SDN controller targeting
            1.7.2.1 Spoofing IPv6 addresses of controllers
            1.7.2.2 Disrupting management plane communications
            
    1.8 Transition mechanism attacks [OR]
    
        1.8.1 NAT64/DNS64 exploitation
            1.8.1.1 Poisoning NDP bindings for translated addresses
            1.8.1.2 Redirecting IPv6-to-IPv4 traffic
            
        1.8.2 Tunnelling protocol abuse
            1.8.2.1 Injecting NDP messages into 6to4 or Teredo tunnels
            1.8.2.2 Spoofing endpoints for tunnelled communications
            
    1.9 Advanced persistent threat (APT) techniques [OR]
    
        1.9.1 Long-term espionage
            1.9.1.1 Sustained traffic interception via persistent cache poisoning
            1.9.1.2 Targeting specific organisations (e.g., government, telecom)
            
        1.9.2 Tool customisation
            1.9.2.1 Developing bespoke tools for NDP exploitation
            1.9.2.2 Adapting attacks to evade signature-based detection
            
    1.10 Rogue DHCPv6 server attacks [OR]
    
        1.10.1 Combining NDP and DHCPv6 exploitation
            1.10.1.1 Spoofing both NA and DHCPv6 responses
            1.10.1.2 Forcing hosts to use malicious configuration parameters
            
        1.10.2 DNS server injection
            1.10.2.1 Providing rogue DNS servers via DHCPv6 and NDP
            1.10.2.2 Hijacking DNS resolution for entire subnets

Why it works

  • No authentication: NDP messages are not authenticated, allowing any node to claim any IP or MAC address

  • Stateless operation: NDP relies on simple request-response mechanisms without session state, making spoofing trivial

  • Protocol complexity: NDP’s multiple message types (NS, NA, RS, RA, Redirect) create a large attack surface

  • Default trust: IPv6 assumes a trusted local link, but attackers can easily join the network physically or wirelessly

  • Limited monitoring: Most networks lack dedicated IPv6/NDP monitoring, allowing attacks to go unnoticed

Mitigation

Secure neighbour discovery (SEND)

  • Action: Deploy SEND to add cryptographic authentication to NDP messages

  • How:

    • Router configuration: Enable SEND on routers supporting RFC 3971

    • Host support: Ensure operating systems (e.g., Linux, Windows) support SEND

    • Certification authorities: Deploy CGAs (Cryptographically Generated Addresses) and manage keys

  • Challenge: SEND is complex and not widely adopted, but it is the strongest long-term solution

NDP inspection (similar to DHCP snooping)

  • Action: Implement NDP inspection on switches to validate messages

  • How:

    • Cisco IOS: Use ipv6 nd inspection policy to create policies and apply to interfaces

    • Junos OS: Configure forwarding-options access-security ndp-snooping

    • Open vSwitch: Use ACLs to filter unauthorised NDP messages

  • Best practice: Combine with RA guard for comprehensive protection

Rate limiting and thresholds

  • Action: Limit the rate of NDP messages to prevent flooding

  • How:

    • Cisco: ipv6 nd suppression and rate limiting per interface

    • Linux: Use sysctl parameters (e.g., net.ipv6.neigh.default.gc_thresh3) to tune cache limits

    • Hardware switches: Configure storm control for ICMPv6 traffic

Host hardening

  • Action: Configure hosts to resist NDP attacks

  • How:

    • Windows: Disable IPv6 on unnecessary interfaces via netsh or group policy

    • Linux: Set net.ipv6.conf.all.forwarding=0 and net.ipv6.conf.all.accept_ra=0 for non-routers

    • Endpoint protection: Use host-based firewalls to block suspicious ICMPv6 traffic

Network segmentation

  • Action: Limit the scope of NDP attacks through segmentation

  • How:

    • VLANs: Isolate critical devices into separate VLANs

    • Private VLANs (PVLANs): Restrict communication between hosts

    • RA guard: Deploy on all user-facing switch ports

Monitoring and detection

  • Action: Actively monitor for NDP anomalies

  • How:

    • IDS/IPS: Use tools like Snort or Suricata with rules for NDP spoofing

    • SIEM integration: Correlate events from switches, routers, and hosts

    • Anomaly detection: Deploy ML-based tools to detect slow poisoning

Physical security and access control

  • Action: Prevent unauthorised network access

  • How:

    • 802.1X: Implement port-based NAC to authenticate devices

    • MACsec: Use IEEE 802.1AE to encrypt and authenticate all layer 2 traffic

    • Physical controls: Secure wiring closets and network jacks

Regular audits and penetration testing

  • Action: Proactively test defences against NDP attacks

  • How:

    • Red team exercises: Use tools like parasite6, fake_router6, or thc-ipv6

    • IPv6 security audits: Regularly review configurations and policies

    • Patch management: Ensure all devices are updated

Key insights from real-world attacks

  • Local link exploitation: NDP attacks are limited to the local broadcast domain, but they can be devastating for network integrity

  • Evasion techniques: Attackers use extension headers and low-rate attacks to bypass security controls

  • IoT risks: Resource-constrained devices are highly vulnerable to NDP-based DoS and battery drainage attacks

  • Automated defence: AI-driven tools will become essential for detecting NDP anomalies

  • Protocol improvements: IETF efforts may enhance NDP security (e.g., through lightweight authentication)

  • Vendor collaboration: Closer collaboration is needed to develop integrated solutions

Conclusion

NDP exploitation poses serious risks to IPv6 networks, enabling MitM, DoS, and reconnaissance. While mitigations like SEND and NDP inspection exist, their deployment is critical. Organisations best adopt a layered defence strategy to protect against these evolving threats.