Your SlideShare is downloading. ×
  • Like
Router and Routing Protocol Attacks
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Router and Routing Protocol Attacks

  • 1,883 views
Published

 

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,883
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
49
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Router and Routing Protocol Attacks Balwant Rathore, CISSP02/17/13 Mahindra British Telecom Ltd. 1
  • 2. Agenda  Overview of Routing Protocols  Router Security Common Issues  Routing Protocol Attacks  Cisco Discovery Protocol (CDP) Attacks  Autonomous System Scanning  Routing Information Protocol (RIP) AttackS  Open Shortest Path First (OSPF) Attacks  Border Gateway Protocol (BGP) AttackS02/17/13 Mahindra British Telecom Ltd. 2
  • 3. Introduction  What are routing Protocols  Protocols that are used by routers  To communicate with each other  To determine appropriate path over which data can be transmitted  To make dynamic adjustment to its conditions  Many improvements on host security  Core technology still uses unauthenticated services02/17/13 Mahindra British Telecom Ltd. 3
  • 4. Router security common issues  Missconfigurations  IP Packet Handling bugs  SNMP community string  Weak password or weak password encryption  DoS because to malformed packets  Above mentioned attacks are commonly known  If attacked with routing protocol impact is very high  Any NIDS can detect most of them02/17/13 Mahindra British Telecom Ltd. 4
  • 5. Safeguard  Up to date patching  Strong SNMP communitystring  Strong encryption  Proper ingress/egress implementation  Proper management implementation  Encrypted Sessions  Strong Passwords  Run on Non standard ports  Route Filtering02/17/13 Mahindra British Telecom Ltd. 5
  • 6. Routing Protocol Attacks  Cisco Discovery Protocol (CDP) Attacks  Autonomous System Scanning  Routing Information Protocol (RIP) Attack  Open Shortest Path First (OSPF) Attacks  Border Gateway Protocol (BGP) Attacks02/17/13 Mahindra British Telecom Ltd. 6
  • 7. Cisco Discovery Protocol (CDP) overview  Layer 2 Protocol  Used to find out Cisco routers  Protocol is not routed  Sent periodically to multicast address [01:00:0C:CC:CC:CC]  So limited only for local segment  The default period is 60 second  Implemented in every Cisco device02/17/13 Mahindra British Telecom Ltd. 7
  • 8. Cisco Discovery Protocol (CDP) overview  Contain information about sending router/s  Host Name  Connected Port  Running Platform  Version  show cdp neighbors [type number] [detail]02/17/13 Mahindra British Telecom Ltd. 8
  • 9. Cisco Discovery Protocol (CDP) Attack  Phenoelit IRPAS  Download from http://www. phenoelit.de/irpas/download.html  This suit contains interesting tools cdp, igrp, irdp, irdpresponder, ass, hsrp02/17/13 Mahindra British Telecom Ltd. 9
  • 10. Cisco Discovery Protocol (CDP) Attack  IRPAS CDP  Operates in two modes: Flood and Spoof  Flood mode  Send garbase cdp messages  IOS 11.1.(1) was rebooted after sending long device ID  Later version store the messages and fill the memory  While debugging these message most IOS will reboot02/17/13 Mahindra British Telecom Ltd. 10
  • 11. Cisco Discovery Protocol (CDP) Attack  Smart way to perform this attack  Run two processes of IRPAS CDP  Send 1480 kb message to fill up the major part of memory  Send another message to fill length of 10 octet  Spoof mode  Targeted for social engineering or to confuse administrator  You can give proof of concept 02/17/13 Mahindra British Telecom Ltd. 11
  • 12. Safeguards  Disable CDP if not required  no cdp run: disables CDP globally  no cdp enable: disables CDP on an interface (interface command)  Highly recommended to disable at Border Routers/Switches etc…02/17/13 Mahindra British Telecom Ltd. 12
  • 13. Autonomous System Scanning  Used to find AS of routers  IRPAS’s ASS supports IRDP, IGRP, EIGRP, RIPv1, RIPv2, CDP, HSRP and OSPF  Operates in Active and Passive mode  Passive mode: Listens to routing protocol packets  Active mode: Discover routers asking for information  You can scan range of AS$  Spoofed IP can be used02/17/13 Mahindra British Telecom Ltd. 13
  • 14. Routing Information Protocol (RIP v1) Overview  Routing Decisions are based on number of hops  Works only within a AS  Supports only 15 hops  Not good for large networks  RIP v1 communicates only it’s own information  RIP v1 has no authentication.  Can’t carry subnet mask so applies default subnet mask.02/17/13 Mahindra British Telecom Ltd. 14
  • 15. Routing Information Protocol (RIP v2) Overview  It can communicate other router information  RIP v2 supports authentication upto 16 char password  It can carry subnet information.  Doors are open to attackers by providing authentication in clear text.02/17/13 Mahindra British Telecom Ltd. 15
  • 16. Routing Information Protocol (RIP) Attack  Identify RIP Router by performing a Scan nmap –v –sU –p 520  Determine Routing Table  If you are on same physical segment, sniff it  If remote: rprobe + sniff  Add a route using srip to redirect traffic to your system  Now you knows where to send it. 02/17/13 Mahindra British Telecom Ltd. 16
  • 17. Safeguards  Disable RIP use OSPF, security is always better  Restrict TCP/UDP 520 packets at border router02/17/13 Mahindra British Telecom Ltd. 17
  • 18. Open Shortest Path First (OSPF) Attack  OSPF is a Dynamic Link State Routing Protocol  Keeps map of entire network and choose shortest path  Update neighbors using LSAs messages  Hello packets are generated every 10 second and sent to 224.0.0.5  Uses protocol type 8902/17/13 Mahindra British Telecom Ltd. 18
  • 19. Open Shortest Path First (OSPF) Attack  Identify target: scan for proto 89  JiNao team has identified four ospf attacks http://152.45.4.41/projects/JiNao/JiN ao.html  Max Age attack  Sequence++ attack  Max Sequence attack  Bogus LSA attack02/17/13 Mahindra British Telecom Ltd. 19
  • 20. Open Shortest Path First (OSPF) Attack  nemiss-ospf can be used to perform ospf attacks  Tuff to use coz of the complexity OSPF  Good for skilled N/W admin  Some time doesn’t work properly02/17/13 Mahindra British Telecom Ltd. 20
  • 21. Safeguards  Do not use Dynamic Routing on hosts wherever not required  Implement MD5 authentication  You need to deal with key expiration, changeover and coordination across routers02/17/13 Mahindra British Telecom Ltd. 21
  • 22. Border Gateway Protocol (BGP) overview  Allows interdomain routing between two ASs  Guarantees the loop-free exchange  Only routing protocol which works on TCP (179)  Routing information is exchanged after connection establishment.02/17/13 Mahindra British Telecom Ltd. 22
  • 23. Border Gateway Protocol (BGP) Attacks  Large network backbone gives special attention on it’s security  Medium size networks are easier target  Packet Injection Vulnerabilities are specially dangerous coz flapping penalties02/17/13 Mahindra British Telecom Ltd. 23
  • 24. Border Gateway Protocol (BGP) Attacks  Identify BGP Router  It has many problem same as TCP  SYN Flood  Sequence number prediction  DOS  Possible advertisement of bad routes02/17/13 Mahindra British Telecom Ltd. 24
  • 25. References  Router Exploits www.antionline.com http://anticode.antionline.com/download.ph p?dcategory=router-exploits&sortby=  http://www.packetninja.net/.  http://www.phenoelit.de/irpas/  RIP Spoofing http://www.technotronic.com/horizon/ripa r.txt.02/17/13 Mahindra British Telecom Ltd. 25
  • 26. Questions ?02/17/13 Mahindra British Telecom Ltd. 26
  • 27. Thank you for you time !02/17/13 Mahindra British Telecom Ltd. 27