Black Hat: Routers using OSPF open to attacks

OSPF flaw allows attacks against router domains, tapping of information flows

LAS VEGAS -- A researcher at Black Hat has revealed a vulnerability in the most common corporate router protocol that puts networks using it at risk of attacks that compromise data streams, falsify network topography and create crippling router loops.

The problem is serious not only because of the damage an attacker might do but also because the protocol, OSPF, is used so pervasively that many networks are vulnerable. Open Shortest Path First (OSPF) is the most popular routing protocol used within the roughly 35,000 autonomous systems into which the Internet is divided.

Typically large corporations, universities and ISPs run autonomous systems.

The only remedies are using another protocol such as RIP or IS-IS or changing OSPF to close the vulnerability, says Gabi Nakibly, a researcher at Israel's Electronic Warfare Research and Simulation Center, who discovered the problem.

Nakibly says he has successfully carried out an exploit against the vulnerability on a Cisco 7200 router running software version IOS 15.0(1)M, but that the exploit would be equally effective against any router that is compliant with the OSPF specification. He says he chose a Cisco router to underscore the extent of the problem, since Cisco dominates the router market.

The flaw lies in the OSPF protocol itself which allows uncompromised routers to be tricked into propagating false router-table updates known as link state advertisements or LSAs. The attack is such that the false tables persist over time.

The false tables can be crafted to create router loops, send certain traffic to particular destinations or snarl a network by making victim routers send traffic along routes that don't exist in the actual network topology, he says.

The attack requires that one router on the network is compromised.”[T]he true novelty of the attacks are their ability to falsify the routing advertisements of other  routers which are not controlled by the attacker while still not triggering the fight-back mechanism by those routers,” Nakibly says in an email.

He and his team initiated the attack from a phantom router connected to their test network – in this case a laptop.

The phantom router sends to the victim router a spoofed LSA that appears to be the last one the victim router sent out. The spoofed LSA is accepted as legitimate because it has been crafted to have the appropriate LSA sequence number, checksum and age – the three things OSPF checks to determine the legitimacy of LSAs.

At the same time the phantom sends to a second router on the network an LSA that looks like it came from the victim router. The LSA is tagged with the sequence number that will be assigned to the next LSA that the victim router sends out.

Meanwhile, the victim router rejects the spoofed LSA from the phantom router and sends out a fight-back LSA, which is a copy of its last legitimate LSA.

When the fight-back LSA reaches the second router, it appears identical to the disguised LSA the second router just received from the phantom router. This is because the fight-back LSA and the disguised LSA have identical sequence numbers, check sums and age.

The second router rejects the fight-back LSA (which contains legitimate route tables) and refloods the network with the disguised LSA (which contains attacker-crafted tables) it received earlier from the phantom router. The net result is the second router generates a false LSA that other routers accept as genuine.

Because OSPF sends out LSAs every half hour, the attack must be relaunched every half hour so the false tables persist.

To initiate the attack the phantom router introduces itself as being adjacent to the victim router, which must be the designated router on the network. Designated routers store complete topology tables for the network, and they multicast updates to the other routers.

Nakibly introduced a second attack that is not as effective, but similarly takes advantage of a vulnerability in the OSPF specification.

Learn more about this topic

Fun with OSPF Type 5 LSAs 

Are Cisco-led routing, switching specs necessary? 

World IPv6 Day is Complete. Did Anyone Notice?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)