About some routing protocol vulnerabilities (1)

This article discusses attacks on the underlying network protocols and methods to prevent attacks, especially Routing and Routing Protocol vulnerabilities, such as Routing Information Protocol (RIP, Routing Information Protocol ), border Gateway Protocol (edge Gateway Protocol), Open Shortest Path First (OSPF, Open Shortest Path First Protocol), and so on.

A vro plays a key role in each network. If a vro is damaged or a route is spoofed successfully, the network integrity will be seriously damaged, if the host using the route does not use encrypted communication, it is even more serious because such a host is under control and there will be man-in-the-middle attacks, denial-of-service attacks, data loss, overall network damage, and information sniffing.

Routing is a huge and complex topic. Therefore, I only mention some knowledge and horizontal relationships here. Please give me some advice.

========================================================== ========================================================
Some common Router Security Problems

A variety of routers have a variety of well-known security issues. For some common security issues such as Cisco, Livingston, and Bay, you can refer to the following addresses, which collect many security vulnerabilities:

Http://www.antionline.com/cgi-bin/anticode/anticode.pl? Dir = router-exploits

Most of the vulnerabilities collected by the above addresses do not involve routing protocol-level attacks, but some SNMP has the default communit name string due to incorrect configuration and IP information packet error handling, weak passwords or encryption algorithms are not strong enough. Some of the above attacks can be detected by a standard NIDS. These types of attacks weaken the bottom layer of the network and can combine some high-level protocols for attacks.

Correct configuration management can handle many common vulnerabilities. For example, you must handle some standard procedures: Do not use SNMP (or select a strong password) to keep the patch updated, correctly process the access control list, inbound and outbound filtering, firewall, encrypted management channel and password, route filtering, and MD5 authentication. Of course, before using these procedures, you must know the meanings of these security rules and the services affected.

========================================================== ==========================================================
Recently, the development of some low-level construction defense Detection Systems

Recently in the Network Protection Development Project is relatively good is a IDS called JiNao, you can find the relevant content in the following address: http://www.anr.mcnc.org/projects/JiNao/JiNao.html. jiNao was initiated by DARPA and is now a cooperative research project jointly developed by MCNC and the University of North Carolina. JiNao runs in online mode (using divert sockets) on FreeBSD and Linux, runs in offline mode on Solaris, and tests on three networks-MCNC, NCSU and the AF/Rome lab composed of PC operating systems and commercial routers. The test results show that various types of bottom-layer network attacks can be successfully prevented and these attacks can be detected with high precision.

Currently, JiNao looks to be studying the Open Shortest Path First (OSPF, Open Shortest Path First) protocol, and eventually JiNao will extend to various protocols. JiNao pointed out that defense attacks and intrusion detection will be integrated into the network management content. Therefore, JINao is now integrated with network firewalls, intrusion detection systems, and network management systems.

There is also a tool that can analyze advanced protocols, such as Agilent Advisor.
(Http://onenetworks.comms.agilent.com/) network analysis tool, which supports a variety of routing protocols and can customize filters to detect a variety of abnormal behavior.

========================================================== ==========================================================
Some tools that work on Routing Protocols

-------------------------------
Linux divert sockets Description: \ "Divert socket can capture and inject IP information packets on the vro on the end host, and capture and insert information packets on the IP layer, the captured information packages are switched to the socket port in the user space, so these information packages will not reach their final destination unless the user space interface reinserts them. In this way, different operations (such as routing and firewall) can be allowed out of the system kernel between packet capture and re-insertion. \ "(http://www.anr.mcnc.org /~ Divert /). simply put, the divert socket is the IP packet (IP information package) in the kernel (kernel) processed by the user space program. This divert socket was first used in the FreeBSD system, for example, NAT applies the divert socket. This makes the development program easy, because at the user layer, the efficiency of Processing IP packet (IP information package) is also relatively high, because it directly processes the kernel (kernel) IP packet (IP information package) in ).

You can find the related Divert socket in the address below: http://www.anr.mcnc.org /~ As mentioned above, divert/. Divert socket was first implemented in FreeBSD and has been transplanted to Linux and used as part of the JiNao IDS project.