how to take advantage of routing protocols - bsidesvienna · ospf.pdf “ospf security project”...
TRANSCRIPT
![Page 1: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/1.jpg)
OPEN SHORTEST PATH FIRSTHow to take advantage of routing protocols
PWN
1
![Page 2: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/2.jpg)
ABOUT ME
Studied network and security at the Technical University of Troyes (France)
Working at WienCERT (Stadt-Wien)
2
![Page 3: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/3.jpg)
AGENDA
What is a routing protocol?
How to use a vulnerable configuration?
Consequences and how to avoid it.
3
![Page 4: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/4.jpg)
WHAT IS A ROUTING PROTOCOL
4 Photo courtesy of Dawson Construction Co. BP Refinery project
![Page 5: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/5.jpg)
ROUTING IN IP NETWORKS
IP Networks & Masks
IP Network Mask
10.0.0.9/29 10.0.0.8 255.255.255.248
5
![Page 6: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/6.jpg)
ROUTING IN IP NETWORKS
To reach 10.0.0.1 ⇒ GW R2
To reach 10.0.1.1 ⇒ GW R1
To reach 192.168.1.1 ⇒ GW R3
6
IP: 192.168.42.1/24Network Gateway
10.0.0.0/8 R110.0.0.0/24 R2
0.0.0.0 R3
![Page 7: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/7.jpg)
HISTORICAL ROUTING
All routers controlled by the same administrative authority
Security wasn’t really a preoccupation
Internet grew to fast to implement security changes
7
![Page 8: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/8.jpg)
WHAT IS A ROUTING PROTOCOL?
Share routes through the network in an automated way
IGP vs. EGP
link-state vs. distance-vector
8
![Page 9: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/9.jpg)
OSPF: A ROUTING PROTOCOLInterior Gateway Protocol
Multicast (224.0.0.5 or FF02::5)
Link-State Protocol ⇒ Keep state with
UPDATE packets
Encapsulated directly in IP (protocol 89)
9
![Page 10: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/10.jpg)
DYNAMIC ROUTING
Network Bravo
Network Alpha Network Charlie
Network A R1Network C R3
Network B R2Network C R3
OSPF
10
![Page 12: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/12.jpg)
MULTIPLE VULNERABILITIES
Old protocol (last RFC in 1998)
Information sent in clear text …
12
![Page 13: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/13.jpg)
OSPF HEADER
13
![Page 14: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/14.jpg)
MULTIPLE VULNERABILITIES IIStandard configuration of routers
⇒ Clear text auth
⇒ add router to the network
⇒ and then add new routes to the protocol
14
![Page 15: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/15.jpg)
DYNAMIC ROUTINGNetwork Bravo
Network Alpha Network Charlie
15
![Page 16: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/16.jpg)
DYNAMIC ROUTING
16
NewR
Network Bravo
Network Alpha Network Charlie
Illegal Network
![Page 17: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/17.jpg)
17
DYNAMIC ROUTING
17
Network A R1Network B R2Illegal Net NewR
Network Bravo
Network Alpha Network Charlie
Network A R1Network C R3Illegal Net. R3
Network B R2Network C R3Illegal Net. R3
NewR
Illegal Network
![Page 18: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/18.jpg)
CONSEQUENCES
Re-route internal IP-traffic
Manipulate connections (DNS, DHCP, …)
Reroute external IPs to internal servers
18
![Page 19: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/19.jpg)
WHAT ABOUT OTHER PROTOCOLS?
19
![Page 20: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/20.jpg)
EIGRP
Distance-Vector Cisco Routing Protocol
20
![Page 21: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/21.jpg)
RIPv2
Distance-Vector Routing Protocol
21
![Page 22: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/22.jpg)
BGP
Exterior Gateway Protocol
This vulnerability is not applicable
Neighboring required to route
22
![Page 23: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/23.jpg)
TOOLSWireshark
Loki
Quagga
Scapy (contrib module; no md5)
NRL Core23
Nemesis
IP Sorcery
Cain&Abel
Net Dude
Collasoft
IRPAS
![Page 25: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/25.jpg)
CONFIGURATION
Know your routers!
Review your configuration periodically
Limit the scope of your routing protocol
Test your configuration25
![Page 26: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/26.jpg)
JUNOS EXAMPLE
26
# show protocols ospf area 0.0.0.0 interface vlan.1 { retransmit-interval 5; hello-interval 2; dead-interval 10; authentication { md5 1 key "mypassword"; } } interface ge-0/0/1.0 { passive; }
![Page 27: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/27.jpg)
QUAGGA EXAMPLE
27
router ospf ospf router-id 10.0.0.1 # network 10.1.2.0/24 area 0 network 10.2.4.0/24 area 0 passive-interface eth0:1 # redistribute kernel redistribute connected redistribute static default-information originate #
![Page 28: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/28.jpg)
CISCO EXAMPLE
28
router ospf 1 router-id 10.0.0.1 log-adjacency-changes area 10.0.0.20 authentication redistribute connected metric 50 subnets redistribute static subnets passive-interface default no passive-interface FastEthernet0 network 10.11.12.0 0.0.0.255 area 20 network 192.168.42.0 0.0.0.255 area 20
![Page 29: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/29.jpg)
CISCO EXAMPLE
29
interface FastEthernet0 ip address 10.0.0.1 255.255.255.0 ip ospf authentication message-digest ip ospf authentication-key P4ssW0rd ip ospf 1 area 10.0.0.20 duplex auto speed auto
![Page 30: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/30.jpg)
CISCO EXAMPLE
30
![Page 31: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/31.jpg)
PATCH MANAGEMENT
Patch your network devices
Learn about new protocol (OSPFv3 w/ AH&ESP)
Use the new protocols
31
![Page 32: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/32.jpg)
OTHER VULNERABILITIES?
Spoofed LSA (CVE-2013-0149)
32
![Page 33: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/33.jpg)
CONCLUSION
Consider Routing as a critical asset
Monitor your network
Audit your network periodically
33
![Page 34: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/34.jpg)
SPECIAL THANKS
34
WienCERT PGP-Key: 9B2C C43A 0B5A 6269 A438 A1FC 07FA F5B9 948A D027
![Page 36: How to take advantage of routing protocols - BSidesVienna · ospf.pdf “OSPF Security Project” Michael Sudkovitch and ... webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae5b1dc7f8b9a6d4f8b9dc3/html5/thumbnails/36.jpg)
REFERENCESIP RFC https://tools.ietf.org/html/rfc791
OSPF v2 RFC http://tools.ietf.org/html/rfc2328
OSPF for IPv6 RFC http://tools.ietf.org/html/rfc5340
“An Experimental Study of Insider Attacks for the OSPF Routing Protocol” Brian Vetter, Feiyi Wang, S. Felix Wu (1997)
“Persistent OSPF Attacks” Gabi Nakibly and al. http://crypto.stanford.edu/~dabo/pubs/papers/ospf.pdf
“OSPF Security Project” Michael Sudkovitch and David I. Roitman, http://webcourse.cs.technion.ac.il/236349/Spring2013/ho/WCFiles/2009-2-ospf-report.pdf
Scapy OSPF Module https://raw.githubusercontent.com/d1b/scapy/master/scapy/contrib/ospf.py
36