By Alex Kirshon and Dima Gonikman Under the Guidance of Gabi Nakibly

By Alex Kirshon and Dima Gonikman

Under the Guidance of Gabi Nakibly

Project Objectives OSPF Routing Protocol

Protocol OverviewKnown Attacks Description

Project AccomplishmentsFake Adjacency AttackAdjacency Corruption Attack

Project Summary

Outline

Study of vulnerabilities of OSPF from the protocol perspective

Exploitation of vulnerabilities to attack an OSPF network in new and improved ways

Prove effectiveness of attacks by collecting network statistics in simulated environment

OSPF AttacksProject Objectives

OSPF Routing Protocol Open Shortest Path First

A Second Generation Internal Routing Protocol

Main Purpose – Internal Gateway Protocol – establishment an maintenance of routes within an Autonomous System

Dijkstra Algorithm based routing topology

OSPF Routing Protocol Open Shortest Path First

Link State Advertisement Protocol Hello Protocol - discovery of neighbors and

forming adjacencies (~Every 10 seconds) Most protocol data is exchanged exclusively

over adjacencies Areas – an administrative abstraction

OSPF Routing ProtocolSecurity Features

Simple EncryptionMD5 based Message Authentication Code

‘Natural Fightback’ mechanismFalse LSAs are updated or flushed by legitimate

router

Areas as a Security Measure Flooding of false information is limited to area

of origin

OSPF Routing ProtocolThe Link State Database

OSPF Routing ProtocolSome Known Attacks

Max Sequence Number AttackPrevents Fightback

False Forwarding Address AttackCreates data loops

False Designated Router AttackImpacts AS connectivity

Project AccomplishmentsNew Attacks

Fake Adjacency Attack

Adjacency Corruption Attack


Attack Goal – Establishing an adjacency with a phantom router

Motivation – Being Adjacent is a powerful position

Link State Databases are synchronized over adjacencies, being adjacent means being able to change other LSDBs at will

Hello Protocol And Adjacency Bring-Up

Fake Adjacency AttackDescription

Send Spoofed Hello Packet to Victim Network Designated Router

Perform the Adjacency Bring-Up Procedure Without Hearing Victim Response (Send “next packet” every RTT)

Inject False Routing Information Via Spoofed LSU Packets (~ Every 30 minutes)

Maintain Attack By Periodically Sending Spoofed Hello Packets (~Every 10 seconds)






AdvantagesNot Dependent On Network TopologyEasy Maintenance – generating messages for

maintenance is easy, and not frequentPowerful – can cause information loss, not

bothered by limitations caused by areas

DisadvantagesExposed and requires High Maintenance – The

attacker sends a false message every 10 seconds, this is traceable


Attack Goal – Controlling The Fightback Mechanism

Motivation – Knowing When Fightback Occurs Helps to Overcome It

Lack of Fightback Means False Information Stays in the System Longer

Adjacency Corruption AttackDescription

Send Spoofed LSU to Victim Router Immediately Send Same Spoofed LSU to

Network Designated Router (After RTT)The DR will fight the injected information but it will

be rejected by the victim

Send Spoofed LSA Ack to Network DR (After RTT)

Maintain Attack By Periodically Repeating it (~Every 30 minutes)








AdvantagesPowerful – can cause information loss or routing

loops, not bothered by limitations caused by areas

Low Maintenance – Attacker sends 3 protocol messages every 30 minutes

DisadvantagesDependent On Network Topology

OSPF AttacksProject Summary

What We Accomplished:Found 2 New Major Security Weaknesses in

OSPFv2 RFC Exploited Said Weaknesses to Gain Positions of

PowerProved Applicability of Exploits Using

OMNET++

Thanks for Listening

Any Questions?

Documents

By Alex Kirshon and Dima Gonikman Under the Guidance of Gabi Nakibly