Novel Attacks in OSPF Networks to Poison Routing Table

Slides:



Advertisements
Similar presentations
Introduction to OSPF.
Advertisements

Lonnie Decker Multiarea OSPF for CCNA Department Chair, Networking/Information Assurance Davenport University, Michigan August 2013 Elaine Horn Cisco Academy.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSPF Routing Protocols and Concepts – Chapter 11.
PROJECT IN COMPUTER SECURITY IS-IS ROUTING ATTACKS Supervisor Gabi Nakibly, Ph.D. Students Bar Weiner, Asaf Mor Spring 2012.
By Alex Kirshon and Dima Gonikman Under the Guidance of Gabi Nakibly.
Nov 11, 2004CS573: Network Protocols and Standards1 IP Routing: OSPF Network Protocols and Standards Autumn
1 ELEN 602 Lecture 20 More on Routing RIP, OSPF, BGP.
1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.
Objectives After completing this chapter you will be able to: Describe hierarchical routing in OSPF Describe the 3 protocols in OSPF, the Hello, Exchange.
1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.
TCP/IP Protocol Suite 1 Chapter 14 Upon completion you will be able to: Unicast Routing Protocols: RIP, OSPF, and BGP Distinguish between intra and interdomain.
Chapter 12 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Read a routing table  Configure a static route 
Link State Routing Protocol W.lilakiatsakun. Introduction (1) Link-state routing protocols are also known as shortest path first protocols and built around.
Open Shortest Path First (OSPF) -Sheela Anand -Kalyani Ravi -Saroja Gadde.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Link-State Routing Protocols Routing Protocols and Concepts – Chapter.
1 CS 4396 Computer Networks Lab Dynamic Routing Protocols - II OSPF.
Lecture Week 10 Link-State Routing Protocols. Objectives Describe the basic features & concepts of link-state routing protocols. List the benefits and.
Unicast Routing Protocols  A routing protocol is a combination of rules and procedures that lets routers in the internet inform each other of changes.
M.Menelaou CCNA2 ROUTING. M.Menelaou ROUTING Routing is the process that a router uses to forward packets toward the destination network. A router makes.
Routing protocols Basic Routing Routing Information Protocol (RIP) Open Shortest Path First (OSPF)
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Link-State Routing Protocols Routing Protocols and Concepts – Chapter 10.
Introduction to OSPF Nishal Goburdhan. Routing and Forwarding Routing is not the same as Forwarding Routing is the building of maps Each routing protocol.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSPF Routing Protocols and Concepts – Chapter 11.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 2 Single-Area OSPF.
1 Module 4: Implementing OSPF. 2 Lessons OSPF OSPF Areas and Hierarchical Routing OSPF Operation OSPF Routing Tables Designing an OSPF Network.
 Development began in 1987  OSPF Working Group (part of IETF)  OSPFv2 first established in 1991  Many new features added since then  Updated OSPFv2.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Single-Area OSPF Routing Protocols.
Open Shortest Path First (OSPF)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Single-Area OSPF Routing Protocols.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—3-1 Implementing a Scalable Multiarea Network OSPF-Based Solution Planning Routing Implementations.
CCNP Routing Semester 5 Chapter 4 OSPF.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Link-State Routing Protocols Routing Protocols and Concepts – Chapter 10.
LAN Switching Virtual LANs. Virtual LAN Concepts A LAN includes all devices in the same broadcast domain. A broadcast domain includes the set of all LAN-connected.
1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.
1 CMPT 471 Networking II OSPF © Janice Regan,
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Single-Area OSPF Routing & Switching.
Dynamic Routing Protocols II OSPF
Instructor Materials Chapter 5: Dynamic Routing
Link State Routing protocol
CMPT 371 Data Communications and Networking Routing in the Internet
OSPF (Open Shortest Path First)
Routing Protocols and Concepts
Link-State Routing Protocols
Dynamic Routing Protocols part2
Instructor Materials Chapter 10: OSPF Tuning and Troubleshooting
Single-Area OSPF (Open Shortest Path First Protocol)
Single-Area OSPF (Open Shortest Path First Protocol)
Troubleshooting IP Addressing
13.3 OSPF: Open Shortest Path First.
© 2002, Cisco Systems, Inc. All rights reserved.
Routing.
Chapter 5: Dynamic Routing
Link State Algorithm Alternative to distance-vector
Chapter 9: Multiarea OSPF
Dynamic Routing Protocols II OSPF
CCNA 3 v3 JEOPARDY Module 2 CCNA3 v3 Module 2 K. Martin.
Link-State Routing Protocols
Instructor & Todd Lammle
Dynamic Routing and OSPF
Introduction to networking
Chapter 8: Single-Area OSPF
Viet Nguyen Jianqing Liu Yaqin Tang
Dynamic Routing Protocols part2
Cisco networking, CNET-448
Chapter 9: Multiarea OSPF
Link-State Routing Protocols
Routing Protocols and Concepts – Chapter 11
Chapter 9: Multiarea OSPF
Dynamic Routing Protocols part3 B
Routing.
Presentation transcript:

Novel Attacks in OSPF Networks to Poison Routing Table 2019/10/9 Novel Attacks in OSPF Networks to Poison Routing Table Author: Yubo Song, Shang Gao, Aiqun Hu, Bin Xiao Publisher/Conf.:2017 IEEE International Conference on Communications (ICC) Presenter: 林鈺航 Date: 2019/4/17 1 Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C. CSIE CIAL Lab

Introduction The most common attack against link-state routing protocol is LSA falsification, in which an attacker advertises a fake LSA with false link information on the behalf of routers in the AS. In link-state routing networks, a router periodically advertises a new instance of each LSA throughout the AS. Every LSA has a sequence number which increases with every new advertised instance. In LSA falsification attack, the attacker poisons the routers’ view of the AS topology and change their routing table by flooding false LSA instances To mitigate this attack, the primary security mechanism deployed in OSPFv2/v3 is the “fight-back” mechanism. Since the victim router will also receive the false instance of its own LSA, it immediately verifies the sequence number of this false instance, and generates a newer instance of the LSA with a higher sequence number which cancels out the false one. An attacker can completely poison of all routers within the AS by sending a false LSA with the same Link State ID of the victim but different routing information. The attacker is able to send LSAs to the routers in the routing domain while the routers regard them as valid LSAs.

OSPF Every OSPF router first sends “hello” packets to discover its neighboring routers. There are three components in the hello packet header to keep information about the status of routers: “hello interval”: indicates how frequently the sender should retransmit its hello packets “router dead interval”: tells how long it takes to declare an unavailable router “neighbor list”: describes the neighbors that the sender has already met.

OSPF Once a neighboring router is found via the hello protocol, the sender goes through a “database exchange process” to synchronize its database. Then the information about the sender’s local neighbors is assembled into a LSA, and is broadcasted via a reliable intelligent flooding scheme to all other routers. These LSA packets make up the link state database for the networks. Once all routers have an up-to-date link state database, each router can use the Dijkstra’s algorithm to calculate a shortest-path tree with other routers and then form a complete picture of routing in the networks.

Five types of OSPF packets The OSPF protocol runs directly over IP, using 89 port. IP reassembling is used when fragmentation is necessary. “hello” packet : used by a router to discover its neighbors “database description” and “link state request” packets : used to synchronize two routers’ databases when an adjacency is being initialized “link state update” packet : used to update link state database “link state acknowledgment” packet : ensures a reliable transmission by acknowledging flooded LSAs

“Fight-back” mechanism Once a router receives an instance of its own LSA but newer than the last instance it originated, the router immediately advertises a newer instance of the LSA which cancels out the false one. The OSPF protocol also has a flooding mechanism which ensures all routers in the networks maintain the same topological database. Therefore, a false LSA advertised by the attacker will be send to the victim router eventually. The “Fight-back” mechanism and the flooding mechanism ensure that all the LSAs in other routers are originated from the valid router.

ATTACKS ON OSPF PROTOCOL One strong assumption of all mentioned attacks is that the attacker is able to send LSAs to the routers in the routing domain while the routers regard them as valid LSAs. We identify several novel vulnerabilities that the attacker can still falsify LSAs to the routers even when he is a common user inside the OSPF networks, and propose two novel attacks: adjacency spoofing attack single path injection attack

Adjacency Spoofing Attack Once the attacker connects to the gateway in the same subnet, he first captures the “hello” packets broadcasted by the gateway and gets the network parameters, such as Router ID, Area ID, HelloInterval, RouterDeadInterval, AuType and so on. These parameters can be used to construct the corresponding “hello” packet related. Second, since the gateway is assumed to be a designated router, it starts to set up an adjacency with the attacker.

Adjacency Spoofing Attack The attacker sends the forged ”hello” packet as if he is a legal adjacent router to make an adjacency relationship with gateway. Third, the gateway sends a Database description (DBD) message when it receives the “hello” packet from the attacker, and the attacker and gateway exchange the summaries of LSAs in their database with DBD messages. Finally, the gateway requests its peer new instances after the LSA exchange. In this way, the gateway receives the false LSAs from the attacker and floods them to the whole OSPF networks.

Adjacency Spoofing Attack The victim gateway regards the attacker as a adjacent router after adjacency spoofing attack. The attack can further advertise any false LSA and change any traffic path he wants. All routers will change their routing table after receiving the flooded LSAs. It is can be used to realize DNS spoofing, phishing Website, eavesdropping, and man-in-the-middle attacks.

Single Path Injection Attack We find a new vulnerability in OSPF protocol. Section 13.7 of the OSPF protocol specification defines the process procedures of the received link state acknowledgments: The router ignores this acknowledgment and examines the next acknowledgment when the LSA acknowledge does not have an instance on the link state retransmission list for the neighbor. Otherwise, the router removes the item from the list and examines the next acknowledgment. We exploit this feature to advertise a false LSA via a middle “springboard router” to the specific ”polluted router” without triggering the Fightback mechanism.

Single Path Injection Attack Attacker can send a false LSA from the host to the polluted router R8 via the springboard router R6. In this way, the polluted router R8 believes that this false LSA is flooded from the router R6. R8 is the first router to store the false LSA in its link state database and floods the link state acknowledgment to the all other routers in the OSPF networks. By exploiting the OSPF feature mentioned above, attacker can bypass the “Fight-back” mechanism even though the router R6 may receive the link state acknowledgment which includes the false LSA from router R8. The source IP address in this false LSA is set to the address of f1/0, and the ID value is set to R6’s ID.

Single Path Injection Attack In the normal stage, a router inserts the LSA into its local link state retransmission list after sending the LSA to other routers, and waits for the link state acknowledgment within a given time interval. If no link state acknowledgment is sent back before the time running out, the router retransmits the LSA. Otherwise, the router confirms the LSA and deletes the LSA from the local link state retransmission list. We can infer that this attack only occurs when there is only one transmission path between the springboard router and polluted router. Once an attacker confirms the springboard router, he constructs a false LSA with the springboard router’s ID and sends it to the polluted router.

Attack Validation in Simulation Environment We establish the simulation environment based on GNS3. GNS3 is a graphic network simulator to design and configure virtual networks. It allows the combination of virtual devices and real devices, and can be used to simulate complex networks. The simulated routers are Cisco routers and their Cisco IOS versions are c3640 by default.

Topology The IP address of each router is the combination of the router ID and the IP address range of the corresponding subnet Area0 : backbone area , Area1 : inter-area, Area2 : inter-area R9 : backbone router which connects to a real-world campus network in Southeast University. The IP address of each router is the combination of the router ID and the IP address range of the corresponding subnet. A2 : real host, A1: Vmware virtual machine

Adjacency Spoofing Attack First A2 captures the network parameters by sniffing the “hello” packet broadcasted by the adjacent router. Then A2 disguise himself as an AS boundary router (ASBR) to establish an adjacent relationship with router R3. Once A2 becomes the adjacent ASBR of R3, it injects a false LSA with malicious route information of the subnet 58.192.114.0/24. R3 accepts the false LSA and floods it to all other routers.

Adjacency Spoofing Attack

Single Path Injection Attack In normal condition, the traffic path from User C1 to User C2 is R3-R6-R9-R7-R4.