NDP exploitation (IPv6)

Attack pattern

The Neighbor Discovery Protocol (NDP) is a core IPv6 protocol that replaces ARP and provides functions like address resolution, duplicate address detection (DAD), and router discovery. Its stateless and unauthenticated nature makes it vulnerable to spoofing, cache poisoning, and denial-of-service attacks. Attackers can exploit NDP to redirect traffic, intercept communications, or disrupt network operations .

1. NDP Exploitation [OR]

    1.1 Neighbor Cache Poisoning [OR]
    
        1.1.1 Spoofed Neighbor Advertisement (NA)
            1.1.1.1 Overriding legitimate entries in neighbor caches
            1.1.1.2 Redirecting traffic to attacker-controlled MAC addresses
            
        1.1.2 Gratuitous NA Attacks
            1.1.2.1 Unsolicited NA messages to inject false bindings
            1.1.2.2 Persistent cache poisoning with periodic NA floods
            
        1.1.3 Neighbor Solicitation (NS) Spoofing
            1.1.3.1 Triggering unnecessary NA responses
            1.1.3.2 Forcing address resolution for non-existent targets
            
    1.2 Denial-of-Service (DoS) [OR]
    
        1.2.1 Neighbor Cache Exhaustion
            1.2.1.1 Flooding with spoofed NS/NA messages
            1.2.1.2 Filling cache with invalid entries to disrupt communications
            
        1.2.2 Duplicate Address Detection (DAD) Attacks
            1.2.2.1 Responding to DAD probes to prevent address assignment
            1.2.2.2 Causing address conflicts and host initialization failures
            
        1.2.3 Router Advertisement (RA) Flooding
            1.2.3.1 Overwhelming routers with fake RAs
            1.2.3.2 Disrupting legitimate router advertisements and prefix assignments
            
    1.3 Man-in-the-Middle (MitM) & Interception [OR]
    
        1.3.1 Default Gateway Impersonation
            1.3.1.1 Spoofing router MAC addresses via NA messages
            1.3.1.2 Redirecting all traffic through attacker nodes
            
        1.3.2 Host Impersonation
            1.3.2.1 Taking over IPv6 addresses of critical servers
            1.3.2.2 Intercepting sessions for SSH, HTTPS, or VoIP
            
        1.3.3 Redirect Attack Exploitation
            1.3.3.1 Sending ICMPv6 Redirect messages to optimize malicious paths
            1.3.3.2 Bypassing security controls via route manipulation
            
    1.4 Reconnaissance & Topology Mapping [OR]
    
        1.4.1 Neighbor Unreachability Detection (NUD) Exploitation
            1.4.1.1 Probing active hosts via NUD stimuli
            1.4.1.2 Mapping live IPv6 addresses and their MAC bindings
            
        1.4.2 Passive NA Monitoring
            1.4.2.1 Sniffing NA messages to build network maps
            1.4.2.2 Identifying critical infrastructure targets
            
    1.5 Evasion & Stealth Techniques [OR]
    
        1.5.1 Extension Header Abuse
            1.5.1.1 Embedding malicious ND messages in Hop-by-Hop options
            1.5.1.2 Bypassing NDP inspection tools
            
        1.5.2 Low-Rate Attacks
            1.5.2.1 Slow poisoning to avoid detection thresholds
            1.5.2.2 Timing-based evasion of monitoring systems
            
    1.6 IoT & Resource-Constrained Targeting [OR]
    
        1.6.1 Battery Exhaustion Attacks
            1.6.1.1 Forcing continuous ND activity on IoT devices
            1.6.1.2 Draining power via repeated DAD or NUD triggers
            
        1.6.2 Limited Stack Exploitation
            1.6.2.1 Crashing devices with malformed ND packets
            1.6.2.2 Abusing minimal ND implementations in embedded systems
            
    1.7 Cloud & Virtualization Attacks [OR]
    
        1.7.1 Virtual Switch Exploitation
            1.7.1.1 Poisoning neighbor caches in hypervisors
            1.7.1.2 Breaking isolation between virtual machines
            
        1.7.2 SDN Controller Targeting
            1.7.2.1 Spoofing IPv6 addresses of controllers
            1.7.2.2 Disrupting management plane communications
            
    1.8 Transition Mechanism Attacks [OR]
    
        1.8.1 NAT64/DNS64 Exploitation
            1.8.1.1 Poisoning NDP bindings for translated addresses
            1.8.1.2 Redirecting IPv6-to-IPv4 traffic
            
        1.8.2 Tunneling Protocol Abuse
            1.8.2.1 Injecting NDP messages into 6to4 or Teredo tunnels
            1.8.2.2 Spoofing endpoints for tunneled communications
            
    1.9 Advanced Persistent Threat (APT) Techniques [OR]
    
        1.9.1 Long-Term Espionage
            1.9.1.1 Sustained traffic interception via persistent cache poisoning
            1.9.1.2 Targeting specific organizations (e.g., government, telecom)
            
        1.9.2 Tool Customization
            1.9.2.1 Developing bespoke tools for NDP exploitation
            1.9.2.2 Adapting attacks to evade signature-based detection
            
    1.10 Rogue DHCPv6 Server Attacks [OR]
    
        1.10.1 Combining NDP and DHCPv6 Exploitation
            1.10.1.1 Spoofing both NA and DHCPv6 responses
            1.10.1.2 Forcing hosts to use malicious configuration parameters
            
        1.10.2 DNS Server Injection
            1.10.2.1 Providing rogue DNS servers via DHCPv6 and NDP
            1.10.2.2 Hijacking DNS resolution for entire subnets

Why it works

  • No Authentication: NDP messages are not authenticated, allowing any node to claim any IP or MAC address .

  • Stateless Operation: NDP relies on simple request-response mechanisms without session state, making spoofing trivial .

  • Protocol Complexity: NDP’s multiple message types (NS, NA, RS, RA, Redirect) create a large attack surface .

  • Default Trust: IPv6 assumes a trusted local link, but attackers can easily join the network physically or wirelessly .

  • Limited Monitoring: Most networks lack dedicated IPv6/NDP monitoring, allowing attacks to go unnoticed .

Mitigation (How-To Guide)

Secure Neighbor Discovery (SEND):

  • Action: Deploy SEND to add cryptographic authentication to NDP messages.

  • How:

    • Router Configuration: Enable SEND on routers supporting RFC 3971.

    • Host Support: Ensure operating systems (e.g., Linux, Windows) support SEND.

    • Certification Authorities: Deploy CGAs (Cryptographically Generated Addresses) and manage keys .

  • Challenge: SEND is complex and not widely adopted, but it is the strongest long-term solution.

NDP inspection (Similar to DHCP snooping)

  • Action: Implement NDP inspection on switches to validate messages.

  • How:

    • Cisco IOS: Use ipv6 nd inspection policy to create policies and apply to interfaces.

    • Junos OS: Configure forwarding-options access-security ndp-snooping.

    • Open vSwitch: Use ACLs to filter unauthorized NDP messages.

  • Best Practice: Combine with RA Guard for comprehensive protection.

Rate limiting and thresholds

  • Action: Limit the rate of NDP messages to prevent flooding.

  • How:

    • Cisco: ipv6 nd suppression and rate limiting per interface.

    • Linux: Use sysctl parameters (e.g., net.ipv6.neigh.default.gc_thresh3) to tune cache limits.

    • Hardware Switches: Configure storm control for ICMPv6 traffic.

Host hardening

  • Action: Configure hosts to resist NDP attacks.

  • How:

    • Windows: Disable IPv6 on unnecessary interfaces via netsh or Group Policy.

    • Linux: Set net.ipv6.conf.all.forwarding=0 and net.ipv6.conf.all.accept_ra=0 for non-routers.

    • Endpoint Protection: Use host-based firewalls to block suspicious ICMPv6 traffic.

Network segmentation

  • Action: Limit the scope of NDP attacks through segmentation.

  • How:

    • VLANs: Isolate critical devices into separate VLANs.

    • Private VLANs (PVLANs): Restrict communication between hosts.

    • RA Guard: Deploy on all user-facing switch ports.

Monitoring and detection

  • Action: Actively monitor for NDP anomalies.

  • How:

    • IDS/IPS: Use tools like Snort or Suricata with rules for NDP spoofing.

    • SIEM Integration: Correlate events from switches, routers, and hosts.

    • Anomaly Detection: Deploy ML-based tools to detect slow poisoning.

Physical security and access control

  • Action: Prevent unauthorized network access.

  • How:

    • 802.1X: Implement port-based NAC to authenticate devices.

    • MACsec: Use IEEE 802.1AE to encrypt and authenticate all layer 2 traffic.

    • Physical Controls: Secure wiring closets and network jacks.

Regular audits and pentesting

  • Action: Proactively test defenses against NDP attacks.

  • How:

    • Red Team Exercises: Use tools like parasite6, fake_router6, or thc-ipv6.

    • IPv6 Security Audits: Regularly review configurations and policies.

    • Patch Management: Ensure all devices are updated.

Key insights from real-world attacks

  • Local Link Exploitation: NDP attacks are limited to the local broadcast domain, but they can be devastating for network integrity .

  • Evasion Techniques: Attackers use extension headers and low-rate attacks to bypass security controls .

  • IoT Risks: Resource-constrained devices are highly vulnerable to NDP-based DoS and battery drainage attacks .

  • Automated Defense: AI-driven tools will become essential for detecting NDP anomalies.

  • Protocol Improvements: IETF efforts may enhance NDP security (e.g., through lightweight authentication).

  • Vendor Collaboration: Closer collaboration is needed to develop integrated solutions.

Conclusion

NDP exploitation poses serious risks to IPv6 networks, enabling MitM, DoS, and reconnaissance. While mitigations like SEND and NDP inspection exist, their deployment is critical. Organizations must adopt a layered defense strategy to protect against these evolving threats.