NDP Exploitation (IPv6)

Attack pattern

The Neighbour Discovery Protocol (NDP) is a core IPv6 protocol that replaces ARP and provides functions like address resolution, duplicate address detection (DAD), and router discovery. Its stateless and unauthenticated nature makes it vulnerable to spoofing, cache poisoning, and denial-of-service attacks. Attackers can exploit NDP to redirect traffic, intercept communications, or disrupt network operations.

1. Ndp exploitation [OR]

    1.1 Neighbour cache poisoning [OR]
    
        1.1.1 Spoofed neighbour advertisement (NA)
            1.1.1.1 Overriding legitimate entries in neighbour caches
            1.1.1.2 Redirecting traffic to attacker-controlled MAC addresses
            
        1.1.2 Gratuitous NA attacks
            1.1.2.1 Unsolicited NA messages to inject false bindings
            1.1.2.2 Persistent cache poisoning with periodic NA floods
            
        1.1.3 Neighbour solicitation (NS) spoofing
            1.1.3.1 Triggering unnecessary NA responses
            1.1.3.2 Forcing address resolution for non-existent targets
            
    1.2 Denial-of-service (DoS) [OR]
    
        1.2.1 Neighbour cache exhaustion
            1.2.1.1 Flooding with spoofed NS/NA messages
            1.2.1.2 Filling cache with invalid entries to disrupt communications
            
        1.2.2 Duplicate address detection (DAD) attacks
            1.2.2.1 Responding to DAD probes to prevent address assignment
            1.2.2.2 Causing address conflicts and host initialisation failures
            
        1.2.3 Router advertisement (RA) flooding
            1.2.3.1 Overwhelming routers with fake RAs
            1.2.3.2 Disrupting legitimate router advertisements and prefix assignments
            
    1.3 Man-in-the-middle (MitM) & interception [OR]
    
        1.3.1 Default gateway impersonation
            1.3.1.1 Spoofing router MAC addresses via NA messages
            1.3.1.2 Redirecting all traffic through attacker nodes
            
        1.3.2 Host impersonation
            1.3.2.1 Taking over IPv6 addresses of critical servers
            1.3.2.2 Intercepting sessions for SSH, HTTPS, or VoIP
            
        1.3.3 Redirect attack exploitation
            1.3.3.1 Sending ICMPv6 redirect messages to optimise malicious paths
            1.3.3.2 Bypassing security controls via route manipulation
            
    1.4 Reconnaissance & topology mapping [OR]
    
        1.4.1 Neighbour unreachability detection (NUD) exploitation
            1.4.1.1 Probing active hosts via NUD stimuli
            1.4.1.2 Mapping live IPv6 addresses and their MAC bindings
            
        1.4.2 Passive NA monitoring
            1.4.2.1 Sniffing NA messages to build network maps
            1.4.2.2 Identifying critical infrastructure targets
            
    1.5 Evasion & stealth techniques [OR]
    
        1.5.1 Extension header abuse
            1.5.1.1 Embedding malicious ND messages in hop-by-hop options
            1.5.1.2 Bypassing NDP inspection tools
            
        1.5.2 Low-rate attacks
            1.5.2.1 Slow poisoning to avoid detection thresholds
            1.5.2.2 Timing-based evasion of monitoring systems
            
    1.6 IoT & resource-constrained targeting [OR]
    
        1.6.1 Battery exhaustion attacks
            1.6.1.1 Forcing continuous ND activity on IoT devices
            1.6.1.2 Draining power via repeated DAD or NUD triggers
            
        1.6.2 Limited stack exploitation
            1.6.2.1 Crashing devices with malformed ND packets
            1.6.2.2 Abusing minimal ND implementations in embedded systems
            
    1.7 Cloud & virtualisation attacks [OR]
    
        1.7.1 Virtual switch exploitation
            1.7.1.1 Poisoning neighbour caches in hypervisors
            1.7.1.2 Breaking isolation between virtual machines
            
        1.7.2 SDN controller targeting
            1.7.2.1 Spoofing IPv6 addresses of controllers
            1.7.2.2 Disrupting management plane communications
            
    1.8 Transition mechanism attacks [OR]
    
        1.8.1 NAT64/DNS64 exploitation
            1.8.1.1 Poisoning NDP bindings for translated addresses
            1.8.1.2 Redirecting IPv6-to-IPv4 traffic
            
        1.8.2 Tunnelling protocol abuse
            1.8.2.1 Injecting NDP messages into 6to4 or Teredo tunnels
            1.8.2.2 Spoofing endpoints for tunnelled communications
            
    1.9 Advanced persistent threat (APT) techniques [OR]
    
        1.9.1 Long-term espionage
            1.9.1.1 Sustained traffic interception via persistent cache poisoning
            1.9.1.2 Targeting specific organisations (e.g., government, telecom)
            
        1.9.2 Tool customisation
            1.9.2.1 Developing bespoke tools for NDP exploitation
            1.9.2.2 Adapting attacks to evade signature-based detection
            
    1.10 Rogue DHCPv6 server attacks [OR]
    
        1.10.1 Combining NDP and DHCPv6 exploitation
            1.10.1.1 Spoofing both NA and DHCPv6 responses
            1.10.1.2 Forcing hosts to use malicious configuration parameters
            
        1.10.2 DNS server injection
            1.10.2.1 Providing rogue DNS servers via DHCPv6 and NDP
            1.10.2.2 Hijacking DNS resolution for entire subnets

Why it works

  • No authentication: NDP messages are not authenticated, allowing any node to claim any IP or MAC address

  • Stateless operation: NDP relies on simple request-response mechanisms without session state, making spoofing trivial

  • Protocol complexity: NDP’s multiple message types (NS, NA, RS, RA, Redirect) create a large attack surface

  • Default trust: IPv6 assumes a trusted local link, but attackers can easily join the network physically or wirelessly

  • Limited monitoring: Most networks lack dedicated IPv6/NDP monitoring, allowing attacks to go unnoticed