This section is about OSPF. We have never encountered an Intermediate SystemIntermediate System (IS-IS) attack in the real world, but that doesn't mean it is impossible (we didn't have an opportunity to play with this protocol a lot). As for non-IP protocols, such as the Novell Link State Protocol (NLSP), we do not consider them in this book since the majority of readers are not likely to encounter them on modern networks.
Similar to EIGRP, link state routing protocols do not propagate the whole routing table; they tell about only the local router connections instead. The information about these connections from the whole routing domain builds up the topology map of the network. In OSPF, this database can be viewed with a show ip ospf database command; the information about a router's OSPF neighbors can be obtained with show ip ospf neighbor detail . A routing table is built from this topology map by running a specific algorithm against it (in the case of OSPF, it is the Dijkstra algorithm, named after a famous Hungarian mathematician ). The metric used to select appropriate routes is stated as cost; this metric is usually the bandwidth of the individual link. This uncovers the secret behind the IOS interface mode bandwidth command: It does not set an actual bandwidth at the interface; rather, it tells the value of the interface bandwidth to be used by a routing protocol. By manipulating this value on a hacked or rogue router, an attacker can direct network traffic toward such a router.
Link state routing protocols are more difficult to attack than their distance-vector relatives because of their complexity, influenced by the following factors:
Neighbor discovery via HELLO protocol. To join the routing domain, a rogue router must use or emulate HELLO packets to be accepted.
The presence of routing hierarchy, such as OSPF areas. These areas and whether a packet will pass between them must be taken into account when injecting malicious updates. On the other hand, the presence of a designated router, the main router for a given area, opens up another avenue for an attack.
While we will consider the examples of malicious updates injections with packet generators, the best way to go about attacking these protocols is either by taking over and reconfiguring a legitimate router or via installing and configuring a full-blown routing software suite such as Quagga.
The aim of this attack is to advertise your routerfor example, a Linux machine with enabled forwarding as an OSPF router with a high amount of bandwidth. While the Cisco implementation of OSPF can support both bandwidth and delay as a metric, usually the bandwidth is taken into account. In such a case, the cost is calculated like so: 10 8 divided by bandwidthbasically referencing the link bandwidth against 100 Mbps. So, for example, the cost of a 10 Mbps link would be 10, and the cost of a 56 Kbps serial link would be 1785.
Of course, as an attacker, you would want to advertise the lowest cost possible, which is 1. The reference bandwidth can be changed with the ospf auto-cost referencebandwidth command under router ospf mode , which comes in very useful on high-speed networks. However, for an attacker it is more straightforward to manipulate the cost on the interface via the ip ospf cost <cost> command.
Figuring the configuration cost in ospfd from the Quagga routing suite is performed exactly the same as it is done on the Cisco router. You can set the cost of the route in the configuration mode of the interface by issuing the command ip ospf cost <165535> .
A sample configuration file for the ospfd daemon from the Quagga routing suite is shown here:
! ! Zebra configuration saved from vty ! 2005/08/16 01:22:41 ! hostname legitimate.ospfd password 8 jhahnGuSsan.g enable password 8 Cb/yfFsI.abqs log file /var/log/quagga/ospfd.log service advanced-vty service password-encryption ! ! interface eth0 description DMZ_Network ip ospf authentication message-digest ip ospf message-digest-key 1 md5 secret_key ! interface eth1 ! interface 10 ! interface tun10 ! router ospf ospf router-id 192.168.20.111 redistribute kernel redistribute connected network 192.168.20.0/24 area 0.0.0.0 area 0.0.0.0 authentication message-digest ! line vty exec-timeout 30 0 !
Once you have successfully joined the OSPF domain, check your logs to ensure that it is so, or issue the show ip opsf command to display the summary of your connection. If successful, you are ready to start injecting the malicious routes:
legitimate.ospfd# show ip ospf OSPF Routing Process, Router ID: 192.168.20.111 Supports only single TOS (TOS0) routes This implementation conforms to RFC2328 RFC1583Compatibility flag is disabled OpaqueCapability flag is disabled SPF schedule delay 1 secs, Hold time between two SPFs 1 secs Refresh timer 10 secs This router is an ASBR (injecting external routing information) Number of external LSA 4. Checksum Sum 0x00025f81 Number of opaque AS LSA 0. Checksum Sum 0x00000000 Number of areas attached to this router: 1 Area ID: 0.0.0.0 (Backbone) Number of interfaces in this area: Total: 1, Active: 1 Number of fully adjacent neighbors in this area: 2 Area has message digest authentication SPF algorithm executed 29 times Number of LSA 9 Number of router LSA 4. Checksum Sum 0x00025166 Number of network LSA 1. Checksum Sum 0xffff90fa Number of summary LSA 2. Checksum Sum 0x000166c2 Number of ASBR summary LSA 2. Checksum Sum 0x00014713 Number of NSSA LSA 0. Checksum Sum 0x00000000 Number of opaque link LSA 0. Checksum Sum 0x00000000 Number of opaque area LSA 0. Checksum Sum 0x00000000
Make sure you specify the redistribute kernel in the router ospf mode, so that the routes you specify with the ip route command get redistributed. The usual rules apply to enabling forwarding and NATing of the packets. Next , we announce routes to some of the Cisco networks as going through our router by executing the following:
arhontus / # ip route add 184.108.40.206/14 dev eth0 arhontus / # ip route add 220.127.116.11/16 dev eth0
In hostile conditions, you would employ tcpdump to see whether the packets start flying through your host. In test lab conditions, we can check that the route has been injected successfully by executing sh ip ospf route on the neighboring router:
legitimate.ospfd# sh ip ospf route ============ OSPF external routing table =========== N E2 18.104.22.168/14 [10/20] tag: 0 via 192.168.66.111, eth0 N E2 22.214.171.124/16 [10/20] tag: 0 via 192.168.66.111, eth0
As you have probably guessed, 192.168.66.111 is our rogue OSPF advertising machine.
While it is actually simpler to install and configure Quagga as we have already shown, you can also employ various custom packet generators to emulate the OSPF router workings and insert malicious OSPF HELLOs and updates (or link-state advertisements, LSAs). As of this writing, the situation with custom OSPF packet generation tools is not straightforward. IP Sorcery (or at least its command-line tool, ipmagic ) supports OSPF packet creation, but only partially. The newest version of Nemesis does not have a functional OSPF module, but you can successfully employ the older, separate utility versions of Nemesis:
arhontus / # ./nemesis-ospf OSPF Packet Injection -=The NEMESIS Project 1.1 I 1999, 2000 obecian <firstname.lastname@example.org> OSPF usage: ./nemesis-ospf [-v] [optlist] OSPF Packet Types: -p <OSPF Protocol> -pH HELLO, -pD DBD, -pL LSR, -pU LSU, -pR LSA (router), -pN LSA (network), -pM LSA (summary), -pA LSA (AS) OSPF HELLO options: -N <Neighbor Router Address> -i >Dead Router Interval> -l <OSPF Interval> OSPF DBD options: -z <MAX DGRAM Length> -x <Exchange Type> OSPF LSU options: -B <num of LSAs to bcast> OSPF LSA related options: -L <router id> -G <LSA age> OSPF LSA_RTR options: -u <LSA_RTR num> -y <LSA_RTR router type> -k <LSA_RTR router data> OSPF LSA_AS_EXT options: -f <LSA_AS_EXT forward address> -g <LSA_AS_EXT tag> OSPF options: -m <OSPF Metric> -s <Sequence Number> -r <Advertising Router Address> -n >OSPF Netmask> -O <OSPF Options> -R <OSPF Router id> -A <OSPF Area id> -P <Payload File (Binary or ASCII)> (-v VERBOSE packet struct to stdout) IP Options -S <Source Address> -D <Destination Address> -I <IP ID> -T <IP TTL> -t <IP/OSPF tos> -F <IP frag> -o <IP Options> Data Link Options: -d <Ethernet Device> -H <Source MAC Address> -M <Destination MAC Address>
You must define a source, destination, protocol, and its dependent options.
Alternatively, you can employ Spoof to generate OSPF LSA updates. You need to go to the config directory of the tool and edit the defaultLsaHdr.txt or defaultLsa.txt file to reflect the advertised routes.
The process of injection would take several steps:
Carefully study the topology of the OSPF network to be attacked . Employ both passive sniffing and active scanning with ass . Don't forget to memorize the autonomous system number.
Set one instance of nemesis-ospf to generate HELLO packets.
Emulate the OSPF handshake with a separate nemesis-ospf run. This is quite a difficult task that will require some scripting, since the handshake involves a variety of different packets, as shown in Figure 14-4. (In the figure, DDP is Database Descriptor Packets that send summary data to a neighbor for topology databases synchronization. LSR is a Link State Request sent to a neighbor for more detailed information. LSU is a Link State Update sent as a response to such a request. In a single given routing domain, up to five different LSU types can exist, depending on the router's position and role within an OSPF area. Finally, LSACK is an ACK to a successfully received and processed LSU.)
Figure 14-4: OSPF routing domain joining handshake
Start injecting malicious link state advertisements of your choice.
Judging by the effort required, you might find it more practical to use a routing software suite for a rogue router attack. Nevertheless, employing a packet generator instead is highly educational and is something to be considered in a routing or network security expert's free time.
As stated previously, OSPF networks, unless of a really small size , are usually hierarchical by nature. When too many OSPF routers exist on a network, maintaining a full mesh of neighbor interconnections becomes too resource-consuming. Thus, it makes sense to assign one, usually the most powerful router, to maintain adjacencies with the rest of OSPF routers in a routing domain. This router is called a designated router. The presence of a designated router efficiently transforms the topology of a routing domain from full mesh to a star. In case the designated router fails, a backup designated router also exists to pick up its function. Of course, a star topology is extremely vulnerable if the hub router is taken over or a rogue router manages to become the center of the star. Let us consider these possibilities.
First of all, you need to understand how to become a designated router. A designated router is elected using the OSPF HELLO protocol. Two parameters are used: the OSPF priority and the router IP addresses. The election occurs in the following manner:
All routers in the same autonomous system and area with the priority higher than zero are listed for the election.
The router with the highest priority value (the maximum being 255 on an IOS machine) is elected as a backup designated router.
If a designated router does not exist, this backup designated router becomes designated, and the router with the highest priority after the designated box becomes the backup designated router.
If there is a priority tie, the router with the highest IP on one of its interfaces becomes the designated router and the router with the next highest IP is named the backup designated router.
Note that some system administrators prefer to select designated and backup designated routers on the IP (so-called "router ID"), rather than on the priority basis. In this case, a common practice is to use loopback interfaces as carriers of such IP addresses. A loopback interface is always there and won't fail, as the actual hardware interfaces sometimes do.
Winning the OSPF elections is not possible if the priority of the designated router is set to 255 and the backup designated router is set to 254. However, quite often this is not the case. Some network administrators prefer simple-to-remember numbers like 100 and 10 or 1 and 2 (with other routers' OSPF priority being 0). Other network administrators like to determine the elections by the IP addresses, as noted. However, this is not a secure practice, since the designated router selection is based on the priority first and then the router ID. Finally, in many cases, the OSPF domain is unfortunately left as it is, so that the elections happen automatically without the administrator's intervention. This is not only a lax security practice, but it may also lead to serious QoS issues, since the least suitable router for the task can become elected as designated.
When all these issues are well understood , winning the OSPF elections is easy. First, study how the current designated router was elected. Was it elected by priority or by IP? What is the priority of both designated and backup designated routers? Then set your rogue router to join the OSPF routing domain, as described in the previous section, and set its priority to the maximum. This is done using the ip ospf priority 255 command in the interface mode on a Cisco router. In the ospfd daemon of Quagga Suite, the command is exactly the same as in Cisco: ip ospf priority <0-255> set in the interface configuration mode.
Does it make sense to become a backup designated router? Imagine that a priority gap exists between the designated and backup designated routersfor example, the priority of the former is 255 and the latter is 250. An attacker can set a rogue router to have a priority value of 254 and attempt a DoS attack against the designated router to take its place. While it is not easy to hang the designated router by consuming its resources with a packet flood, an ARP-based attack, such as using the Isolate plug-in from Ettercap NG, will surely do the job.
The main protection of the OSPF protocol relies on MD5-based authentication. However, even if the OSPF routing domain is protected by such an authentication mechanism, it may still be possible to crack it.
We would turn again to Cain & Abel in our authentication cracking task. The process is exactly the same as the RIPv2-MD5 cracking process described earlier in this chapter. First, sniff the OSPF packets (Figure 14-5) and send them to the cracking engine of C&A to wait for the password to be bruteforced (Figure 14-6).
The Phenoelit group , led by FX, discovered a buffer overflow vulnerability in IOS I/O memory buffers. The overflow happens when more than 255 OSPF neighbors are created. Cisco has assigned the bug ID CSCdp58462 to this vulnerability. While IOS versions 11.2, 11.3, and 12.0 all crash when a large number of neighbors is thrown at them via OSPF HELLO packets, the proof-of-concept exploit produced by FX targets specifically Cisco 2503, IOS 11.3(11b) IP only ( c2500-i-l.113-11b.bin system image), and Cisco 2501, IOS 11.3(11a) IP only ( c2500-i-l.113-11a.bin system image). However, it is possible to modify the exploit to include more targets by finding stack return address locations of IOS processes using the IOStack.pl Perl script, kindly provided by Phenoelit at http://www.phenoelit.de/ultimaratio/download.html :
arhontus / # perl IOStack.pl -d 192.168.66.202 -p ****** -e ****** -r stackdump *********************************************************************** IOSSTRING: IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(6), RELEASE SOFTWARE (fc3) IMAGE: flash:c2600-ik9o3s3-mz.123-6.bin MEMORY: 61440K/4096K ARRAY: 82A7E210 PID RECORD STACK RETURNA RETURNV NAME <skip> 90 830CFF04 831FCD80 831fcd84 80446D50 OSPF Hello 150 82D290A8 831FFCA0 831ffca4 80446D50 OSPF Router <skip>
The exploit itself can be downloaded either from the Phenoelit site or from http://www.downloads.securityfocus.com/vulnerabilities/exploits/OoopSPF.c The successful exploitation leads to being able to write the attached small configuration file into the router's Nonvolatile RAM (NVRAM):
arhontus / # ./OoopSPF Phenoelit OoopSPF Cisco IOS OSPF remote exploit (11.2.-12.0) (C) 2002/2003 FX of Phenoelit <email@example.com> Usage: ./OoopSPF -s <src net> -n <src mask> -d <target rtr ip> -f <file> -t <targ#> Options: -s <src net> Use this network as source (as in target config) -n <src mask> Use this netmask as source (as in target config) -d <target> This is the target router interface IP -f <file> Use this as the new config for the router -t # Use this target value set (see below) -a <area> Use this OSPF area -v Be verbose (-vv or -vvv recommended) -D Directed attack (unicast) for 11.x targets -T Test only - don't send --- barely used options --- -L # Number of neighbors to announce (overflow size) -F # Start of data (seen reverse to overflow) -S # NOP sleet
See the exploit source code for more details. As you have probably spotted, the exploitation is not straightforward. You need to enumerate the OSPF domain and know the area number. You need to know the model of the router and the version of its IOS with great precision. To make things more difficult, the exploit has to be triggeredfor example, by executing the buffers small perm 0 command on the affected router, as stated in the exploit code. Thus, we do not consider this attack to be a significant threat in the wild. But we never say never.
Whatever method you employ to break into a router, an appropriate target selection is of paramount importance. An internal area router does not have to know the topology of an outside network: if it does, this is a misconfiguration and a violation of a security policy. Normally, the damage from taking over such a router is confined to its OSPF area. If an Area Border Router (ABR) is taken over, the area is seriously compromised and the attacker has an access to the OSPF backbone (area 0). If an Autonomous System Boundary Router (ASBR) is compromised, the whole OSPF routing domain is in grave danger. In addition, such routers are often the points of routing information redistribution. Thus, an attacker can interfere with operations of other routing protocols, such as BGPv4, just as well. Alas, the ASBRs are most frequently exposed to the external public networks, such as the Internet. And we won't even mention the impact the takeover of a gateway to the outside may have on overall network security.
Here we continue to pound the implementation attacks against the OSPF routing protocol. Inserting a rogue router, malicious link state advertisements, and taking over the designated router, on the other hand, can be defined as network design and configuration attacks. The implementation attacks against OSPF related to DoS have appeared in a few literature sources, such as the PhD dissertation of Feiyi Wang ("Vulnerability Analysis, Intrusion Prevention and Detection for Link State Routing Protocols," North Carolina State University, 2000), his "On the Vulnerabilities and Protection of OSPF Routing Protocol" paper with Felix Wu, and a SANS Institute GIAC practical write-up ("Protecting Network Infrastructure at the Protocol Level," http://www.ouah.org/protocol_level.htm, 2000 ) by Curt Wilson. All these sources pinpoint four possible attack vectors, discussed next.
Maximum Age Attack The maximum age parameter of a link-state advertisement (LSA) is an hour . An attacker sends LSA packets with a maximum age set to a target router. The target fights back the unexpected age change by sending back a "refresh" LSA. The attacker continues flooding to exhaust the target router resources and floods the network with junk LSA packets.
LSA Sequence Number Incrementation Attack In this variation of the attack, the cracker pounds the target OSPF router with LSA packets that have a larger LSA sequence number and advertise a more recent route. The target fights back the unexpected sequence change by sending back LSA packets with a larger sequence number. The outcome is similar to the maximum age attack.
Maximum Sequence Number Attack The attacker injects LSA packets with a maximum possible sequence number of 0x7FFFFFFF. Based on this number, all other routers are forced to accept the malicious LSA as more recent and replace the legitimate route by the one advertised by the attacker. When the relevant LSA's true originator router receives the malicious LSA, it should generate a corrected LSA with a sequence number of 0x80000001. Nevertheless, due to an implementation bug, it will not flush the malicious LSA before transmitting the corrected one, which is thus rejected by the other routers in the area as older. The malicious LSA data will remain in the system until it ages out within an hour. This attack is more serious than the two previously described and may even lead well beyond the realm of DoS if the malicious route insertion succeeds.
Bogus LSA Attack This attack exploits an implementation bug in the UNIX gated daemon and will not be reviewed here since it is not relevant to the Cisco world.
To implement these attacks in practice, you first need to join the OSPF routing domain employing a software suite such as Quagga, and then use nemesis-ospf to generate the malicious LSAs described. This is a rare example when a combination of a specialized routing software with a custom packet generator comes in handy.
While the theory behind these attacks is undoubtedly sound, in her brilliant presentation ( http://www.sfs.poly.edu/presentations/Yuliya_sfs_presentation.ppt ), Yuliya Starobinets has tested them using a modified IP Sorcery tool and Zebra routing suite. Her conclusion was that the "fight-back" process is induced, but there is no actual impairment in the network and router's performance. Of course, this doesn't mean that we should not keep tryingfor example, by using different LSA packet rates, router models, and IOS versions.
A variety of means can help the OSPF routing domain to withstand the attacks described. The main one is the MD5-based OSPF packets authentication. (Just make sure that the shared key is not easy to guess!) Enabling it is easy. First, in the router OSPF mode, enter this:
c2600(config-router)# area <area-id> authentication message-digest
Then go to all interfaces involved in the OSPF routing and enter this:
c2600(config-if)#ip ospf authentication message-digest c2600config-if)#ip ospf message-digest-key <key-id> md5 <secret key>
There is no need to create a separate keychain, as the key is entered in the interface mode.
Of course, it is possible to remove the interface from the routing domain, similar to the case of EIGRP, with a passive-interface command. You can also filter all outgoing LSAs from an OSPF interface with the ip ospf database-filter all out command in the interface configuration mode. Thus, the interface will receive the LSAs but will not propagate them. This doesn't have to be that global: with the neighbor <ip-address> database-filter all out command, a network administrator can stop LSA propagation from the selected interface to a specific neighbor whose IP is supplied within the command. Unlike ip ospf database-filter all out , this command must be entered in a router OSPF ( config-router ) and not the specific interface mode.
For more control granularity, usual distribute lists can be used to restrict the undesirable routes propagation in or out of the routerfor example, the command distribute-list 1 out ospf 10 will filter outgoing OSPF routes in accordance with the standard access list 1 for the OSPF process 10. An OSPF-specific feature, introduced in IOS version 12.0(15)S and fully integrated into IOS 12.2(4)T, is area filter lists, capable of filtering network prefixes from (type 3) LSAs exchanged between ABRs. It is possible to filter both networks advertised from and to the selected area. The syntax of area filter lists configuration is as follows :
c2600(config-router)#area <area number> filter-list prefix <prefix list name> in out
Then a prefix list has to be created in a general router configuration modehere's an example:
c2600(config-router)#area <area number> filter-list prefix <prefix list name> in out
Then a prefix list has to be created in a general router configuration modehere's an example:
c2600(config-router)#exit c2600(config)#ip prefix-list <prefix list name> deny <prefix, e.g. 10.0.0.0/8> ge <minimum prefix length from 1 to 32> le <maximum prefix length from 1 to 32<
Surely the permit statement can be used as well, and the entries in the whole prefix list can follow predetermined sequence numbers, if configured to do so with the ip prefix-list sequence-number command. The latter allows deleting separate permit or deny lines without destroying the whole prefix list, thus making the network administrator's life much easier.
You can find more about OSPF ABR filters at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ftabrt3f.htm .
You can do more to protect your OSPF routing domain. The OSPF protocol can be configured to work on nonbroadcast media, such as frame relay and point-to-point leased lines. However, the nonbroadcast configuration can be also applied to multipoint environments, such as Ethernet and 802.11, for security reasons. By default, OSPF packets are sent to multicast addresses 126.96.36.199 (all OSPF routers) and 188.8.131.52 (designated OSPF routers). This means that unless the switches into which the OSPF routers are plugged are configured for selective multicast traffic propagation (for example, by using Cisco CGMP protocol), the OSPF packets can be sniffed by anyone , even across VLANs. However, if nonbroadcast OSPF routing is configured, the OSPF data will be exchanged between unicast addresses of selected neighbors only, which has obvious security benefits. Such configuration is done on a per-interface basis:
c2600(config-if)#ip ospf network non-broadcast
Then go to the OSPF process configuration prompt and add the participating routers using the neighbor <neighbor IP address> command.
Finally, in a stable OSPF network topology and on all IOS versions starting with 12.1(2)T, unnecessary LSA flooding across the routing domain can be significantly reduced by employing the ip ospf flood-reduction command in the interface configuration mode. To monitor whether an OSPF neighbor goes down or a new suspicious OSPF router appears on the network, enter the log- adjacency -changes command in the router-config mode. If this option is configured, the router will send a syslog message every time an OSPF neighbor goes up or down. And don't forget to set your designated and backup designated routers via the interface ip ospf priority 255 and ip ospf priority 254 commands, so that attackers cannot claim these roles using a rogue host.
All these countermeasures applied in concert can make life for an OSPF cracker more difficult and complicated.