ATTACKING LINK STATE ROUTING PROTOCOLS

Malicious Route Insertion via OSPF

The aim of this attack is to advertise your routerfor example, a Linux machine with enabled forwarding as an OSPF router with a high amount of bandwidth. While the Cisco implementation of OSPF can support both bandwidth and delay as a metric, usually the bandwidth is taken into account. In such a case, the cost is calculated like so: 10 ⁸ divided by bandwidthbasically referencing the link bandwidth against 100 Mbps. So, for example, the cost of a 10 Mbps link would be 10, and the cost of a 56 Kbps serial link would be 1785.

Of course, as an attacker, you would want to advertise the lowest cost possible, which is 1. The reference bandwidth can be changed with the ospf auto-cost referencebandwidth command under router ospf mode , which comes in very useful on high-speed networks. However, for an attacker it is more straightforward to manipulate the cost on the interface via the ip ospf cost <cost> command.

Figuring the configuration cost in ospfd from the Quagga routing suite is performed exactly the same as it is done on the Cisco router. You can set the cost of the route in the configuration mode of the interface by issuing the command ip ospf cost <165535> .

A sample configuration file for the ospfd daemon from the Quagga routing suite is shown here:

 !      ! Zebra configuration saved from vty      !   2005/08/16 01:22:41      !      hostname legitimate.ospfd      password 8 jhahnGuSsan.g      enable password 8 Cb/yfFsI.abqs      log file /var/log/quagga/ospfd.log      service advanced-vty      service password-encryption      !      !      interface eth0       description DMZ_Network       ip ospf authentication message-digest       ip ospf message-digest-key 1 md5 secret_key      !      interface eth1      !      interface 10      !      interface tun10      !      router ospf       ospf router-id 192.168.20.111       redistribute kernel       redistribute connected       network 192.168.20.0/24 area 0.0.0.0       area 0.0.0.0 authentication message-digest      !      line vty       exec-timeout 30 0      ! 

Once you have successfully joined the OSPF domain, check your logs to ensure that it is so, or issue the show ip opsf command to display the summary of your connection. If successful, you are ready to start injecting the malicious routes:

 legitimate.ospfd# show ip ospf       OSPF Routing Process, Router ID: 192.168.20.111       Supports only single TOS (TOS0) routes       This implementation conforms to RFC2328       RFC1583Compatibility flag is disabled      OpaqueCapability flag is disabled      SPF schedule delay 1 secs, Hold time between two SPFs 1 secs      Refresh timer 10 secs      This router is an ASBR (injecting external routing information)      Number of external LSA 4. Checksum Sum 0x00025f81      Number of opaque AS LSA 0. Checksum Sum 0x00000000      Number of areas attached to this router: 1      Area ID: 0.0.0.0 (Backbone)        Number of interfaces in this area: Total: 1, Active: 1        Number of fully adjacent neighbors in this area: 2        Area has message digest authentication        SPF algorithm executed 29 times        Number of LSA 9        Number of router LSA 4. Checksum Sum 0x00025166        Number of network LSA 1. Checksum Sum 0xffff90fa        Number of summary LSA 2. Checksum Sum 0x000166c2        Number of ASBR summary LSA 2. Checksum Sum 0x00014713        Number of NSSA LSA 0. Checksum Sum 0x00000000        Number of opaque link LSA 0. Checksum Sum 0x00000000        Number of opaque area LSA 0. Checksum Sum 0x00000000 

Make sure you specify the redistribute kernel in the router ospf mode, so that the routes you specify with the ip route command get redistributed. The usual rules apply to enabling forwarding and NATing of the packets. Next , we announce routes to some of the Cisco networks as going through our router by executing the following:

 arhontus / # ip route add 64.100.0.0/14 dev eth0      arhontus / # ip route add 128.107.0.0/16 dev eth0 

In hostile conditions, you would employ tcpdump to see whether the packets start flying through your host. In test lab conditions, we can check that the route has been injected successfully by executing sh ip ospf route on the neighboring router:

 legitimate.ospfd# sh ip ospf route      ============ OSPF external routing table ===========      N E2 64.100.0.0/14         [10/20] tag: 0                                 via 192.168.66.111, eth0     N E2 128.107.0.0/16         [10/20] tag: 0                                 via 192.168.66.111, eth0 

As you have probably guessed, 192.168.66.111 is our rogue OSPF advertising machine.

While it is actually simpler to install and configure Quagga as we have already shown, you can also employ various custom packet generators to emulate the OSPF router workings and insert malicious OSPF HELLOs and updates (or link-state advertisements, LSAs). As of this writing, the situation with custom OSPF packet generation tools is not straightforward. IP Sorcery (or at least its command-line tool, ipmagic ) supports OSPF packet creation, but only partially. The newest version of Nemesis does not have a functional OSPF module, but you can successfully employ the older, separate utility versions of Nemesis:

 arhontus / # ./nemesis-ospf      OSPF Packet Injection -=The NEMESIS Project 1.1      I 1999, 2000 obecian <obecian@celerity.bartoli.org>      OSPF usage:        ./nemesis-ospf [-v] [optlist]      OSPF Packet Types:        -p <OSPF Protocol>        -pH HELLO, -pD DBD, -pL LSR, -pU LSU, -pR LSA (router),        -pN LSA (network), -pM LSA (summary), -pA LSA (AS)      OSPF HELLO options:        -N <Neighbor Router Address>        -i >Dead Router Interval>        -l <OSPF Interval>      OSPF DBD options:        -z <MAX DGRAM Length>        -x <Exchange Type>      OSPF LSU options:        -B <num of LSAs to bcast>      OSPF LSA related options:        -L <router id>        -G <LSA age>      OSPF LSA_RTR options:        -u <LSA_RTR num>        -y <LSA_RTR router type>        -k <LSA_RTR router data>      OSPF LSA_AS_EXT options:        -f <LSA_AS_EXT forward address>        -g <LSA_AS_EXT tag>      OSPF options:        -m <OSPF Metric>        -s <Sequence Number>        -r <Advertising Router Address>        -n >OSPF Netmask>        -O <OSPF Options>        -R <OSPF Router id>        -A <OSPF Area id>        -P <Payload File (Binary or ASCII)>        (-v VERBOSE packet struct to stdout)      IP Options       -S <Source Address>       -D <Destination Address>       -I <IP ID>       -T <IP TTL>       -t <IP/OSPF tos>       -F <IP frag>       -o <IP Options>      Data Link Options:       -d <Ethernet Device>       -H <Source MAC Address>       -M <Destination MAC Address> 

You must define a source, destination, protocol, and its dependent options.

Alternatively, you can employ Spoof to generate OSPF LSA updates. You need to go to the config directory of the tool and edit the defaultLsaHdr.txt or defaultLsa.txt file to reflect the advertised routes.

The process of injection would take several steps:

1. Carefully study the topology of the OSPF network to be attacked . Employ both passive sniffing and active scanning with ass . Don't forget to memorize the autonomous system number.

2. Set one instance of nemesis-ospf to generate HELLO packets.

3. Emulate the OSPF handshake with a separate nemesis-ospf run. This is quite a difficult task that will require some scripting, since the handshake involves a variety of different packets, as shown in Figure 14-4. (In the figure, DDP is Database Descriptor Packets that send summary data to a neighbor for topology databases synchronization. LSR is a Link State Request sent to a neighbor for more detailed information. LSU is a Link State Update sent as a response to such a request. In a single given routing domain, up to five different LSU types can exist, depending on the router's position and role within an OSPF area. Finally, LSACK is an ACK to a successfully received and processed LSU.)

   
   Figure 14-4: OSPF routing domain joining handshake

4. Start injecting malicious link state advertisements of your choice.

Judging by the effort required, you might find it more practical to use a routing software suite for a rogue router attack. Nevertheless, employing a packet generator instead is highly educational and is something to be considered in a routing or network security expert's free time.

Becoming a Designated or Backup Designated OSPF Router

As stated previously, OSPF networks, unless of a really small size , are usually hierarchical by nature. When too many OSPF routers exist on a network, maintaining a full mesh of neighbor interconnections becomes too resource-consuming. Thus, it makes sense to assign one, usually the most powerful router, to maintain adjacencies with the rest of OSPF routers in a routing domain. This router is called a designated router. The presence of a designated router efficiently transforms the topology of a routing domain from full mesh to a star. In case the designated router fails, a backup designated router also exists to pick up its function. Of course, a star topology is extremely vulnerable if the hub router is taken over or a rogue router manages to become the center of the star. Let us consider these possibilities.

First of all, you need to understand how to become a designated router. A designated router is elected using the OSPF HELLO protocol. Two parameters are used: the OSPF priority and the router IP addresses. The election occurs in the following manner:

1. All routers in the same autonomous system and area with the priority higher than zero are listed for the election.

2. The router with the highest priority value (the maximum being 255 on an IOS machine) is elected as a backup designated router.

3. If a designated router does not exist, this backup designated router becomes designated, and the router with the highest priority after the designated box becomes the backup designated router.

4. If there is a priority tie, the router with the highest IP on one of its interfaces becomes the designated router and the router with the next highest IP is named the backup designated router.

Note that some system administrators prefer to select designated and backup designated routers on the IP (so-called "router ID"), rather than on the priority basis. In this case, a common practice is to use loopback interfaces as carriers of such IP addresses. A loopback interface is always there and won't fail, as the actual hardware interfaces sometimes do.

Winning the OSPF elections is not possible if the priority of the designated router is set to 255 and the backup designated router is set to 254. However, quite often this is not the case. Some network administrators prefer simple-to-remember numbers like 100 and 10 or 1 and 2 (with other routers' OSPF priority being 0). Other network administrators like to determine the elections by the IP addresses, as noted. However, this is not a secure practice, since the designated router selection is based on the priority first and then the router ID. Finally, in many cases, the OSPF domain is unfortunately left as it is, so that the elections happen automatically without the administrator's intervention. This is not only a lax security practice, but it may also lead to serious QoS issues, since the least suitable router for the task can become elected as designated.

When all these issues are well understood , winning the OSPF elections is easy. First, study how the current designated router was elected. Was it elected by priority or by IP? What is the priority of both designated and backup designated routers? Then set your rogue router to join the OSPF routing domain, as described in the previous section, and set its priority to the maximum. This is done using the ip ospf priority 255 command in the interface mode on a Cisco router. In the ospfd daemon of Quagga Suite, the command is exactly the same as in Cisco: ip ospf priority <0-255> set in the interface configuration mode.

Does it make sense to become a backup designated router? Imagine that a priority gap exists between the designated and backup designated routersfor example, the priority of the former is 255 and the latter is 250. An attacker can set a rogue router to have a priority value of 254 and attempt a DoS attack against the designated router to take its place. While it is not easy to hang the designated router by consuming its resources with a packet flood, an ARP-based attack, such as using the Isolate plug-in from Ettercap NG, will surely do the job.

OSPF MD5 Hash Cracking Attack

The main protection of the OSPF protocol relies on MD5-based authentication. However, even if the OSPF routing domain is protected by such an authentication mechanism, it may still be possible to crack it.

We would turn again to Cain & Abel in our authentication cracking task. The process is exactly the same as the RIPv2-MD5 cracking process described earlier in this chapter. First, sniff the OSPF packets (Figure 14-5) and send them to the cracking engine of C&A to wait for the password to be bruteforced (Figure 14-6).

Figure 14-5: Sending OSPF MD5 hash for cracking

Figure 14-6: OSPF Md5 hash bruteforcing

Direct Attack Against an OSPF Router: The OoopSPF Exploit

The Phenoelit group , led by FX, discovered a buffer overflow vulnerability in IOS I/O memory buffers. The overflow happens when more than 255 OSPF neighbors are created. Cisco has assigned the bug ID CSCdp58462 to this vulnerability. While IOS versions 11.2, 11.3, and 12.0 all crash when a large number of neighbors is thrown at them via OSPF HELLO packets, the proof-of-concept exploit produced by FX targets specifically Cisco 2503, IOS 11.3(11b) IP only ( c2500-i-l.113-11b.bin system image), and Cisco 2501, IOS 11.3(11a) IP only ( c2500-i-l.113-11a.bin system image). However, it is possible to modify the exploit to include more targets by finding stack return address locations of IOS processes using the IOStack.pl Perl script, kindly provided by Phenoelit at http://www.phenoelit.de/ultimaratio/download.html :

 arhontus / # perl IOStack.pl -d 192.168.66.202 -p ****** -e ****** -r stackdump      ***********************************************************************      IOSSTRING: IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(6),      RELEASE SOFTWARE (fc3)      IMAGE:     flash:c2600-ik9o3s3-mz.123-6.bin      MEMORY:    61440K/4096K      ARRAY:     82A7E210      PID  RECORD       STACK       RETURNA      RETURNV    NAME      <skip>      90   830CFF04     831FCD80    831fcd84     80446D50   OSPF Hello      150  82D290A8     831FFCA0    831ffca4     80446D50   OSPF Router      <skip> 

The exploit itself can be downloaded either from the Phenoelit site or from http://www.downloads.securityfocus.com/vulnerabilities/exploits/OoopSPF.c The successful exploitation leads to being able to write the attached small configuration file into the router's Nonvolatile RAM (NVRAM):

 arhontus / # ./OoopSPF      Phenoelit OoopSPF       Cisco IOS OSPF remote exploit (11.2.-12.0)       (C) 2002/2003 FX of Phenoelit <fx@phenoelit.de>      Usage:      ./OoopSPF -s <src net> -n <src mask> -d <target rtr ip> -f <file> -t <targ#>      Options:      -s <src net>  Use this network as source (as in target config)      -n <src mask> Use this netmask as source (as in target config)      -d <target>   This is the target router interface IP      -f <file>     Use this as the new config for the router      -t #  Use this target value set (see below)      -a <area>     Use this OSPF area      -v  Be verbose (-vv or -vvv recommended)      -D  Directed attack (unicast) for 11.x targets      -T  Test only - don't send      --- barely used options ---      -L #  Number of neighbors to announce (overflow size)      -F #  Start of data (seen reverse to overflow)      -S #  NOP sleet 

See the exploit source code for more details. As you have probably spotted, the exploitation is not straightforward. You need to enumerate the OSPF domain and know the area number. You need to know the model of the router and the version of its IOS with great precision. To make things more difficult, the exploit has to be triggeredfor example, by executing the buffers small perm 0 command on the affected router, as stated in the exploit code. Thus, we do not consider this attack to be a significant threat in the wild. But we never say never.

Which OSPF Router to Attack

Whatever method you employ to break into a router, an appropriate target selection is of paramount importance. An internal area router does not have to know the topology of an outside network: if it does, this is a misconfiguration and a violation of a security policy. Normally, the damage from taking over such a router is confined to its OSPF area. If an Area Border Router (ABR) is taken over, the area is seriously compromised and the attacker has an access to the OSPF backbone (area 0). If an Autonomous System Boundary Router (ASBR) is compromised, the whole OSPF routing domain is in grave danger. In addition, such routers are often the points of routing information redistribution. Thus, an attacker can interfere with operations of other routing protocols, such as BGPv4, just as well. Alas, the ASBRs are most frequently exposed to the external public networks, such as the Internet. And we won't even mention the impact the takeover of a gateway to the outside may have on overall network security.

Possible DoS Attacks Against OSPF

Here we continue to pound the implementation attacks against the OSPF routing protocol. Inserting a rogue router, malicious link state advertisements, and taking over the designated router, on the other hand, can be defined as network design and configuration attacks. The implementation attacks against OSPF related to DoS have appeared in a few literature sources, such as the PhD dissertation of Feiyi Wang ("Vulnerability Analysis, Intrusion Prevention and Detection for Link State Routing Protocols," North Carolina State University, 2000), his "On the Vulnerabilities and Protection of OSPF Routing Protocol" paper with Felix Wu, and a SANS Institute GIAC practical write-up ("Protecting Network Infrastructure at the Protocol Level," http://www.ouah.org/protocol_level.htm, 2000 ) by Curt Wilson. All these sources pinpoint four possible attack vectors, discussed next.

Maximum Age Attack The maximum age parameter of a link-state advertisement (LSA) is an hour . An attacker sends LSA packets with a maximum age set to a target router. The target fights back the unexpected age change by sending back a "refresh" LSA. The attacker continues flooding to exhaust the target router resources and floods the network with junk LSA packets.

LSA Sequence Number Incrementation Attack In this variation of the attack, the cracker pounds the target OSPF router with LSA packets that have a larger LSA sequence number and advertise a more recent route. The target fights back the unexpected sequence change by sending back LSA packets with a larger sequence number. The outcome is similar to the maximum age attack.

Maximum Sequence Number Attack The attacker injects LSA packets with a maximum possible sequence number of 0x7FFFFFFF. Based on this number, all other routers are forced to accept the malicious LSA as more recent and replace the legitimate route by the one advertised by the attacker. When the relevant LSA's true originator router receives the malicious LSA, it should generate a corrected LSA with a sequence number of 0x80000001. Nevertheless, due to an implementation bug, it will not flush the malicious LSA before transmitting the corrected one, which is thus rejected by the other routers in the area as older. The malicious LSA data will remain in the system until it ages out within an hour. This attack is more serious than the two previously described and may even lead well beyond the realm of DoS if the malicious route insertion succeeds.

Bogus LSA Attack This attack exploits an implementation bug in the UNIX gated daemon and will not be reviewed here since it is not relevant to the Cisco world.

To implement these attacks in practice, you first need to join the OSPF routing domain employing a software suite such as Quagga, and then use nemesis-ospf to generate the malicious LSAs described. This is a rare example when a combination of a specialized routing software with a custom packet generator comes in handy.

While the theory behind these attacks is undoubtedly sound, in her brilliant presentation ( http://www.sfs.poly.edu/presentations/Yuliya_sfs_presentation.ppt ), Yuliya Starobinets has tested them using a modified IP Sorcery tool and Zebra routing suite. Her conclusion was that the "fight-back" process is induced, but there is no actual impairment in the network and router's performance. Of course, this doesn't mean that we should not keep tryingfor example, by using different LSA packet rates, router models, and IOS versions.

 c2600(config-router)# area <area-id> authentication message-digest 

 c2600(config-if)#ip ospf authentication message-digest      c2600config-if)#ip ospf message-digest-key <key-id> md5 <secret key> 

 c2600(config-router)#area <area number> filter-list prefix <prefix list      name> in  out 

 c2600(config-router)#area <area number> filter-list prefix <prefix list      name> in  out 

 c2600(config-router)#exit      c2600(config)#ip prefix-list <prefix list name> deny <prefix, e.g. 10.0.0.0/8>      ge <minimum prefix length from 1 to 32> le <maximum prefix length from 1 to 32< 

 c2600(config-if)#ip ospf network non-broadcast