• Like
Defeating OSPF MD5 authentication
Upcoming SlideShare
Loading in...5
×

Defeating OSPF MD5 authentication

  • 2,231 views
Uploaded on

No matter MD5/SHA-1 authentication is configured for the RFC2328, the routing infrastructure could be powned.

No matter MD5/SHA-1 authentication is configured for the RFC2328, the routing infrastructure could be powned.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,231
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
63
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Defeating OSPF with authentication enabled IPv6 or die Francois Ropert LAN Big One of the year (or not) http://stack.packetfault.org 2008 Francois Ropert Defeating OSPF security mechanisms
  • 2. OSPF insecurity 101 Part I OSPF insecurity 101 Francois Ropert Defeating OSPF security mechanisms
  • 3. OSPF insecurity 101 OSPF attacks state of the art OSPF attacks state of the art Before this paper OSPF attacks on clear-text OSPF messages exchanges: insertion/remove/modify routes Past attacks mitigation => OSPF MD5 authentication interface Ethernet0 ip address 192.168.0.101 255.255.255.0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 GotBlackholeDbyOSPF Note: Whatever routing protocol used, routing updates authentication are not Confidentiality (CIA) Francois Ropert Defeating OSPF security mechanisms
  • 4. OSPF attack Part II OSPF attack Francois Ropert Defeating OSPF security mechanisms
  • 5. OSPF Today Attack 101 OSPF attack OSPF attack OSPF Today Attack The attack steps Disrupt OSPF router on a switched LAN segment Only for OSPF HELLO messages. LS messages use Sequence authentication but not the same algorithm Packets replayed over LAN are those sent by other alive routers Timeframe attack in the best case (for the victim) Not timeframe in the worst case Attack blackhole the network Francois Ropert Defeating OSPF security mechanisms
  • 6. OSPF Today Attack 101 OSPF attack OSPF attack OSPF header and cryptography part OSPF Header OSPF Version: 2 Message Type: Hello Packet (1) Packet Length: 48 Source OSPF Router: 192.168.0.100 (192.168.0.100) Area ID: 0.0.0.0 (Backbone) Auth Type: Cryptographic Auth Key ID: 1 Auth Data Length: 16 Auth Crypto Sequence Number: 0x2b9542ad Auth Data: 038473959C37C62A7B60D1128212B81E Francois Ropert Defeating OSPF security mechanisms
  • 7. OSPF Today Attack 101 OSPF attack OSPF attack OSPF Hello header OSPF Hello Packet Network Mask: 255.255.255.0 Hello Interval: 10 seconds ... Router Dead Interval: 40 seconds Designated Router: 192.168.0.101 Backup Designated Router: 192.168.0.100 Active Neighbor: 192.168.0.101 Auth Data (previous slide) is placed after Active Neighbors in the Ethernet frame Francois Ropert Defeating OSPF security mechanisms
  • 8. OSPF Today Attack 101 OSPF attack OSPF attack OSPFv2 HELLO packets HELLO packet ? "Router is present and ready to receive/send Link state(LS) messages" Adjacency need to be bi-directional in order to begin LS packets exchange Francois Ropert Defeating OSPF security mechanisms
  • 9. OSPF Today Attack 101 OSPF attack OSPF attack OSPFv2 HELLO packets HELLO packets and MD5 Packets with higher sequence number will be processed Packet with lower sequence number will be discarded or not Sequence number can’t be changed before injecting packet because it will break authentication data sequence ˆ Sequence number are circular and restart to 0: 232 and step of 4 Sequence number are reset to 0 when reboot is done on some OSPF software implementations Sequence check rely on RID not on IP source address => IP spoofing is useless Replayed packet can works everywhere the password and RID are the same Francois Ropert Defeating OSPF security mechanisms
  • 10. OSPF Today Attack 101 OSPF attack OSPF attack OSPF adjacency before attack 192.168.0.101#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.0.100 1 FULL/DROTHER 00:00:31 192.168.0.100 Ethernet0 192.168.0.1 1 FULL/DR 00:00:34 192.168.0.1 Ethernet0 Francois Ropert Defeating OSPF security mechanisms
  • 11. OSPF Today Attack 101 OSPF attack OSPF attack Breaking an adjacency When breaking an adjacency ? When the Auth crypto seqnumber is very high and before rollover It’s easy in a lab environment Pull the plug or shutdown an interface At least for 40 seconds (default DEAD interval) waiting clearing of Active Neighbor list (Victim’s router) Be smart ass in production environment DoS, Cisco IOS HTTP Administrative Interface CSRF Vulnerability, etc... Francois Ropert Defeating OSPF security mechanisms
  • 12. OSPF Today Attack 101 OSPF attack OSPF attack OSPF adjacency after break DEAD time is refreshed each time we sent a packet over the wire Router is not flagged DOWN but stuck in INIT A router is going DOWN when Layer 1 is broken In the attack, Layer 1 is connected and stable but it deny router to get something else Router will never get 2WAY state which need to be bidirectional in order to exchange DBD (Database Descriptors) packets Prevent a router from sending LS packets #sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.0.100 1 INIT/DROTHER 00:00:39 192.168.0.100 Ethernet0 192.168.0.1 1 FULL/DR 00:00:35 192.168.0.1 Ethernet0 Francois Ropert Defeating OSPF security mechanisms
  • 13. OSPF Today Attack 101 OSPF attack OSPF attack OSPF adjacency after attack When the miscreant is done, the attack is stopped and adjacency comes back after dead interval The OSPF neighbor go to Init => Down => Init => 2-Way => Exstart => Exchange => Loading => Full 192.168.0.101#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.0.100 1 FULL/DROTHER 00:00:38 192.168.0.100 Ethernet0 192.168.0.1 1 FULL/DR 00:00:36 192.168.0.1 Ethernet0 Francois Ropert Defeating OSPF security mechanisms
  • 14. Impact on the network Part III Impact on the network Francois Ropert Defeating OSPF security mechanisms
  • 15. IP routing table impact Impact on the network OSPF routing domain impact IP routing table impact Routes learned from the victim’s router are cleared 192.168.5.0/32 Routers learned from other OSPF routers still in the IP routing table 192.168.4.0/30 is subnetted, 1 subnets C 192.168.4.0 is directly connected, Loopback2 192.168.7.0/32 is subnetted, 1 subnets O 192.168.7.1 [110/11] via 192.168.0.1, 00:00:45, Ethernet0 192.168.0.1 router is not under attack C 192.168.0.0/24 is directly connected, Ethernet0 192.168.1.0/30 is subnetted, 2 subnets C 192.168.1.0 is directly connected, Loopback0 C 192.168.1.4 is directly connected, Loopback1 Francois Ropert Defeating OSPF security mechanisms
  • 16. IP routing table impact Impact on the network OSPF routing domain impact OSPF routing domain impact OSPF is a tree and not flat Threat level depends of the OSPF and network design Attacker needs to be located between at least two routers Break local area router break your broadcast domain Break ABR (Area Border Router) disrupt neighbors area links Break a router in collapsed core/distribution design break more than your LAN The Network Consultant "‘de base"’ prefers EIGRP Growing companies generally go for EIGRP to OSPF migration due to scaling An attack collateral can lead to BGP epic FAIL Francois Ropert Defeating OSPF security mechanisms
  • 17. IP routing table impact Impact on the network OSPF routing domain impact OSPF routing domain impact Francois Ropert Defeating OSPF security mechanisms
  • 18. Demo Part IV Demo Francois Ropert Defeating OSPF security mechanisms
  • 19. Attack mitigation Part V Attack mitigation Francois Ropert Defeating OSPF security mechanisms
  • 20. The poor way Attack mitigation Save the planet Weak workarounds Crap way Change OSPF Router-ID on the interface-level command Router-ID has no relation with a physical or loopback interface it will works until miscreant detect it => MouseCat game #sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.0.100 1 INIT/DROTHER 00:00:39 192.168.0.100 Ethernet0 192.168.5.1 1 FULL/DROTHER 00:00:38 192.168.0.100 Ethernet0 What about frequently changes message-digest-key => Mouse and Cat game Root problem still there Francois Ropert Defeating OSPF security mechanisms
  • 21. The poor way Attack mitigation Save the planet Mitigation techniques No mitigation techniques today offered by the industry Except OSPF version 3 but requirement is .. IPv6 Upgrade or die The design way If customer network is hub and spoke, forget dynamic routing REAL NBMA networks are safe (OSPF HELLO messages can’t be unicast on a switched LAN) Francois Ropert Defeating OSPF security mechanisms
  • 22. The poor way Attack mitigation Save the planet Annexe F. Ropert MISC magazine 44 - OSPF crypto sequence numbers attack D. Bauer research Understanding OSPF and BGP interactions Using Efficient Design http://www.cs.rpi.edu/ bauerd/wsc-2006/PADS06-BGP- OSPF.pdf 2006 IETF rpsec (Routing Protocol Security) group Security discussions part of RFCs about OSPFv2 MD5 and SHA-1 are updated http://www.ietf.org/html.charters/rpsec-charter.html Francois Ropert Defeating OSPF security mechanisms