Simple policy to detect CVE-2020-16898: Bad Neighbor
Following functionality are provided by the script
:: 1) Script checks on heuristic described here: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/
zeek-pkg install zeek/initconf/CVE-2020-16898-Bad-Neighbor or @load CVE-2020-16898-Bad-Neighbor/scripts
Detail Alerts and descriptions: Following alerts are generated by the script:
Heuristics are simple:
As per :
(i) looking for packets with an ICMPv6 Type field of 134 indicating Router Advertisements
(ii) an ICMPv6 Option field of 25 indicating Recursive DNS Server (RDNSS).
(iii) If this RDNSS option also has a length field value that is even, the heuristic would drop or flag the associated packet, as it is likely part of a Bad Neighbor exploit attempt.