Description of OSPF route protocol vulnerabilities

There are a lot more to learn about the OSPF routing protocol. Here we mainly introduce the description of OSPF routing protocol vulnerabilities. OSPF is a dynamic connection status routing protocol. It maintains a dynamic route table of the entire network and uses this table to determine the shortest path between networks. The OSPF routing protocol uses the connection status routing protocol internally, the Protocol sends the connection status information LSA to the same layer node.

When the router receives this information, it can calculate the shortest path of each node based on the SPF algorithm. Other adjacent routers send a greeting packet to 224.0.0.5 every 10 seconds using the Hello protocol of OSPF routing protocol, and then receive the information sent back from these routers. The hello packet header of an OSPF routing protocol can be sniffed through iptraf, as shown below: OSPF hlo (a = 3479025376 r = 192.168.19.35) (64 bytes) from 192.168.253.67 to 224.0.0.5 on eth0. 192.168.253.67 the VBR sends a helo packet to multicast (224.0.0.5) to tell other routers and hosts how to contact area a (a = 3479025376) from 192.168.19.35 ). Once the router receives the Hello packet, it starts to synchronize its own database and other routes.

OSPF-related vulnerabilities and Preventive Measures

OSPF is much safer than RIP because it has several built-in security mechanisms. However, several components of LSA can also be modified by capturing and re-injecting OSPF route protocol information packets, the JiNao team developed a LINUX implementation of FREEBSD divert socket and used it in their tests.

OSPF can be configured with no authentication mechanism, plaintext password authentication, or MD5, so that attackers can obtain a certain degree of access, for example, they can use tools such as dsniff to monitor OSPF packets and plaintext passwords. Attackers can run divert socket or other possible types of ARP spoofing tools to redirect communication. The JiNao team discovered four Denial-of-Service attack methods related to the OSPF routing protocol. The following is a simple description:

Max Age attack: the maximum age for LSA attacks is one hour (3600)

The attacker sends an LSA information package with the maximum MaxAge settings. In this way, the router generates a refresh message to send the LSA, which then leads to a sudden change in the value of the age item. If the attacker continuously inserts the maximum value to the information package to the entire vro group, network confusion and DoS attacks will occur.

The Sequence ++ attack means that the attacker continuously inserts a large LSA sequence (sequence) number information package. According to the RFC of OSPF, the LS Sequence number serial number is used) the column is used to determine whether the old or the same LSA is used. A large serial number indicates that the LSA is more recent. Therefore, when attackers continue to insert large LSA sequence packets, the first vro will generate a self-update LSA serial number to compete with the attacker serial number, this causes network instability and DoS attacks.

Maximum serial number attack

The attacker inserts the maximum serial number 0x7FFFFFFF. According to the RFC of OSPF, when the maximum serial number is exceeded, LSA must refresh from the route domain with the InitialSequenceNumber initialization serial number. In this way, if the attacker's vro serial number is inserted with the maximum serial number and is about to be initialized, theoretically it will immediately lead to competition of the first vro. However, in practice, in some cases, the LSA with the maximum MaxSeq (serial number) is not cleared, but is maintained for an hour in the connected database.

Counterfeit LSA attacks

This attack is mainly caused by the gated daemon error. All gated processes must be stopped and restarted to clear the forged incorrect LSA, resulting in DOS. This attack does not affect the hardware router and does not affect the new gated version. Nemesis-ospf can launch the above attacks on the OSPF Routing Protocol. However, due to too many options and needs to have a deep understanding of ospf, therefore, it is difficult for attackers and administrators to perform these attacks. I also heard that nemesis-ospf is not always normal and correct, which limits the value of this tool.

OSPF Authentication requires KEY exchange. Each time the vro must pass the KEY back and forth to authenticate itself and try to pass OSPF messages, the HELLO information package of the router is transmitted between routers every 10 seconds by default, which gives attackers a great opportunity to eavesdrop on the KEY, if attackers can snoop the network and obtain the KEY, the OSPF route information package may be forged. More seriously, these forged OSPF route information packets will be redirected blindly. Of course, these attacks are rare, not only difficult, but also important because there are other easier security vulnerabilities that can be exploited. It is recommended that if a host does not use dynamic routing, Most hosts can use static routing to complete the function well. Because dynamic routing protocols are very vulnerable to attacks, for example, gated software was found to have a certification problem a few years ago.

About using IRPAS to attack CDP and IRDP

The cdp program of IRPAS mainly sends CDP (Cisco router Discovery Protocol) messages to CISCO routers and generates DoS attacks on internal network segments, sending SPAM characters will cause the router to restart or crash. It can also be used as a fool to open a convenient door for other more dangerous programs. A possible attack scenario is: Using cdp to stop the router service, then, use the irdp or irdresponder tool to send a high priority value to notify a new vro. In this way, if our target vro cannot communicate with the service that has been stopped due to a denial-of-service attack, the high priority value of the new vro will be used. If the value set by the attacker is used successfully, the attacker can easily insert a communication path in their system.

This type of attack can also be applied to some hosts configured with the IRDP protocol. For example, if Windows 98 is configured with IRDP by default, WINNT must be manually configured to support the IRDP environment, three ICMP Router Solicitation messages (ICMP route request messages) are broadcast at startup ).