Black Hat: Routers Using OSPF Open to Attacks
LAS VEGAS -- A researcher at Black Hat has revealed a vulnerability in the most common corporate router protocol that puts networks using it at risk of attacks that compromise data streams, falsify network topography and create crippling router loops.
The problem is serious not only because of the damage an attacker might do but also because the protocol, OSPF, is used so pervasively that many networks are vulnerable. Open Shortest Path First (OSPF) is the most popular routing protocol used within the roughly 35,000 autonomous systems into which the Internet is divided.
Typically large corporations, universities and ISPs run autonomous systems.
OPTIONS: EIGRP vs. OSPF
The only remedies are using another protocol such as RIP or IS-IS or changing OSPF to close the vulnerability, says Gabi Nakibly, a researcher at Israel's Electronic Warfare Research and Simulation Center, who discovered the problem.
Nakibly says he has successfully carried out an exploit against the vulnerability on a Cisco 7200 router running software version IOS 15.0(1)M, but that it would be equally effective against any router that is compliant with the OSPF specification. He says he chose a Cisco router to underscore the severity of the problem, since Cisco dominates the router market.
The problem lies in the OSPF protocol itself, which can be tricked into accepting false router table updates from phantom routers on the network -- Nakibly says he used a laptop attached to the test network he was attacking.
The phantom sends a false link state advertisement (LSA) -- a periodic router table update -- to the targeted router. The router accepts it as legitimate because, to verify its authenticity, all it checks for is that it has the most recent LSA sequence number, contains the proper checksum and is plus or minus 15 minutes old.
Nakibly described how to falsify all of these and to overcome the protocol's defense mechanism called fightback that floods accurate LSAs in the face of false ones.
The false LSA can be crafted to create router loops, send certain traffic to particular destinations or snarl a network by making the victim router send traffic along routes that don't exist in the actual network topology, he says.
The exploit requires one compromised router on the network so the encryption key used for LSA traffic among the routers on the network can be lifted and used by the phantom router. The exploit also requires that the phantom router is connected to the network, Nakibly says.
To initiate the attack the phantom router introduces itself as being adjacent to the victim router, which must be the designated router on the network. Designated routers store complete topology tables for the network, and they multicast updates to the other routers.
Nakibly introduced a second attack that is not as effective, but similarly takes advantage of a vulnerability in the OSPF specification.
Read more about wide area network in Network World's Wide Area Network section.