Because the words Cisco and router are nearly synonymous, a book on Cisco-related hacking and security cannot exist without a chapter devoted to exploitation of routing protocols. In fact, dwelling on routing- related attacks is an excellent way to finish this tome. Of course, the majority of routing protocols, except for Cisco proprietary Interior Gateway Routing Protocol (IGRP) and Enhanced Interior Gateway Routing Protocol (EIGRP), are IETF standards. Nevertheless, the chances are that in the majority of cases those Open Shortest Path First (OSPF) or Border Gateway Protocol (BGP) version 4 packets flowing through the network are sent and received by Cisco routers or other Cisco appliances. Thus, it makes sense to cover attacks against all commonly used TCP/IP routing protocols in this book.
In Chapters 12 and 13 we have mentioned quite a variety of Layer 2 Address Resolution Protocol (ARP), Hot Standby Routing Protocol (HSRP), and Generic Routing Encapsulation (GRE) attacks aimed at redirecting traffic on the network, bending it in accordance to an attacker's will. Traffic redirection can be accomplished by employing Dynamic Host Configuration Protocol (DHCP), but we didn't dwell on this since it is too generic and hardly Cisco-related. Rerouting packets using Internet Control Message Protocol (ICMP) redirects and ICMP router advertisement/solicitation (ICMP Router Discovery Protocol, or IRDP) is also possible; however, Cisco routers would not normally alter their routing tables (as seen with a show ip route command) after receiving these ICMP packets. We have verified this fact in a testing lab using Hping2, SING, Nemesis, and ICMP utilities from IRPAS. A few exceptions to this rule do exist, though. For example, a Cisco router with turned-off IP routing ( no ip routing ) would add gateways advertised by ICMP redirects, or ip irdp could be enabled on a router interface by a system administrator (possibly under the influence of bizarre hallucinogenic substances). Since this is not a very likely event, though, we'll skip describing ICMP rerouting attacks here.
We should always distinguish between traffic redirection attacks and routing attacks. These two are similar but not identical attack types. Routing attacks are always launched at the network layer of the OSI model. Never mind the fact that Routing Information Protocol (RIP) operates over UDP and BGP operates over TCP. Logically, these two protocols are still Layer 3 protocols with functionality specific for the network layer. Traffic redirection can be done on layers below and above that (consider DNS spoofing). The majority of traffic redirection attacks we have described are local and confined to a single LAN segment. Routing attacks can be remote, and the changes they induce can propagate far throughout vast networks. In particular, this applies to BGP attacks that can affect multiple autonomous systems at once. Routing attacks involve a much finer, more intelligent traffic manipulation than redirection attacks not related to specific routing protocols. Tweaking BGPv4 attributes provides a very good example of this.
Routing attacks can come in several flavors:
An attack using a subverted router A subverted router is taken over by a cracker and used to gain further control over the hacked network.
An attack using a rogue router A rogue router is an unauthorized router deployed by an attacker on the network. If a routing updates authentication mechanism is absent or bypassed, such a router can participate in the routing process on the network and alter it in accordance with the attacker's needs. A rogue router can be a machine running a general purpose OS, such as some UNIX flavor with a routing software suite installed. Alternatively, an attacker can inject illicit routing updates into the network using packet- crafting tools, such as Nemesis, Spoof, or IRPAS.
An attack using a masquerading router A masquerading router is a rogue router that spoofs a legitimate router's identity to gain access to the routing domain. This can be done to bypass access lists and may involve source routing attacks. An example of such an attack provided in this chapter is impersonating a legitimate BGP neighbor.
In addition, an attacker can take over a router by exploiting a flaw in processing routing data. While not really a routing attack, it is a threat to be reckoned with, and we are going to describe one such potential attack.
The end result of any routing attack is the redirection of traffic on the network. To accomplish this, an attacker can do the following:
Alter the metric of a route (usually to a value indicating the preference of a malicious route inserted)
Alter the advertised network's netmask; remember that the more specific, longest netmask route always has preference
Alter policy routing, route redistribution, and administrative distance (rare)
Delete the route or cause a denial of service (DoS) to an involved router
The traffic can always be "blackholed", which will create a DoS condition. Another way to DoS the whole network is to cause a constant recalculation of all routing tables through it. This is somewhat similar to the eternal Spanning Tree Protocol (STP) root bridge elections we reviewed earlier in the book. The data can also be redirected through a lowend router that is unlikely to handle a large amount of traffic. This will lead to packet loss and may crush that router. DoS is not the primary aim of routing protocols' exploitation, however threatening it may be. The traffic can be rerouted through a host controlled by the attacker for further sniffing and modification. It can also be directed outside the attacked network to bypass the firewall and create an information leak. Yet another interesting application of malicious traffic rerouting is directing the traffic through a path that bypasses an intrusion detection system (IDS) sensor to avoid another attack's detection.
Because every routing domain is different in terms of both protocol settings and topology, in the majority of cases it is not possible to provide "canned" prescriptions of routing attacks. An attacker will have to study the topology and routing architecture of the target network in detail, and only when the complete and precise network enumeration is done can she inject malicious updates into it. Thus, the aim of this chapter is to provide guidance on how to set up rogue routers or inject malicious updates into the network using a variety of packet-crafting tools. We will also elaborate on the types of packets to be injected. However, you will have to decide for yourself on the exact content of malicious updates to be sent, on the basis of your specific penetration needs and network enumeration studies.