owning the routing table
play

Owning the Routing Table Part II Gabi Nakibly 1 , Eitan Menahem 2 , - PowerPoint PPT Presentation

Apr 27, 2023 •254 likes •579 views

Owning the Routing Table Part II Gabi Nakibly 1 , Eitan Menahem 2 , Ariel Waizel 2 , Yuval Elovici 2 1 National EW Research & Simulation Center, Rafael Advanced Defense Systems Ltd. 2 Telekom Innovation Laboratories, Ben Gurion University

  1. Owning the Routing Table Part II Gabi Nakibly 1 , Eitan Menahem 2 , Ariel Waizel 2 , Yuval Elovici 2 1 National EW Research & Simulation Center, Rafael – Advanced Defense Systems Ltd. 2 Telekom Innovation Laboratories, Ben Gurion University

  2. Background • This work is a second installment of our research on OSPF security . – The first part was presented at Black Hat USA 2011 . • In this part we push the envelope further and present a more powerful attack that allows to take control of a Cisco’s router routing table .

  3. Overview • The holy grail of routing attacks is owning the routing table of a router – without having to own the router itself. • We present a newly found vulnerability of the OSPF protocol. • It allows to own the routing tables of all routers in a routing domain from just a single compromised router.

  4. Why is this so desirable? • Owning the routing tables allows doing tricks such as: – Black holes – Network cuts – Traffic diversion • towards longer routes • or through an attacker-controlled router – And much much more

  5. Who is vulnerable? • The vulnerability is due to an ambiguity in the OSPF spec [RFC 2328]. • Therefore, potentially many commercial routers may be vulnerable! • The attack has been successfully verified against Cisco IOS 15.0(1)M.

  6. How the new attack differs from known ones? • The new attack gains full and persistent over the routing table of another router. – Known attacks cannot do that • It achieves this because it can persistently falsify routing advertisements of other routers. – Without triggering “fight-back” from the victim router. • More on this later on.

  7. Agenda • OSPF primer • OSPF security strengths • Known OSPF attacks • The newly found vulnerability and attack

  8. Internet Routing – The Big Picture AS1 AS3 AS2 Inter-AS routing – BGP Intra-AS routing – OSPF, RIP, IS-IS 9

  9. OSPF Primer • Every router periodically advertises it’s link state (i.e. “who are my neighbors?”). – This is called Link State Advertisement (LSA). • The LSAs are flooded throughout the network hop-by-hop. • Every router receives the LSAs of all other routers – and installs it in its LSA DB – this allows to build the topology map of the AS.

  10. R2 LSA DB: R1 LSA flooding R2 LSA R1 LSA R2 R1

  11. OSPF Primer (cont.) • There are several types of LSAs. The most important one is: – Router LSA – contains the links of a given router. • Throughout the presentation we shall refer only to Router LSAs unless we specifically indicate otherwise.

  12. The Attacker • Location: inside the AS – Controls a single legitimate router in an arbitrary location – This means it can flood LSAs to its neighbors • Goal: Full control of the routing tables of all other routers in the AS.

  13. OSPF Security Strengths • Every LSA is flooded throughout the AS • The “fight back” mechanism • One LSA holds only a little piece of topology information

  14. Known Attacks • Falsifying self LSAs – Falsify only a small portion of the AS topology, hence full control over the routing table can not be achieved. • Falsifying other routers’ LSAs – Triggers immediate fight back • non-persistent • Falsifying phantom router LSAs – Does not have an affect on the routing table – since no real router advertises a link back to the phantom.

  15. Owning the Routing Table – Part I • Until 2011 the common knowledge was that an inside attacker cannot gain full and persistent control over the routing table of a router it does NOT control. • At Black Hat USA 2011 we presented the first general technique to evade fight-back. – Thereby, persistently falsifying LSAs of other routers. – This was called the “Disguised LSA” attack. • See http://www.blackhat.com/html/bh-us-11/bh-us-11- briefings.html#Nakibly

  16. The New Attack • We now present an even more powerful attack. – It too allows to persistently falsify LSAs while evading fight-back • On top of that, it offers some added bonuses: – The routing table of the victim router is erased • Can be used as a means to easily DoS a router – Only a single well-crafted attack packet is required

  17. Background • The LSA header: • An LSA is uniquely identified by: – LS type (for Router LSA it is always ‘1’) – Advertising Router – Link State ID

  18. Background (cont.) • Advertising Router – identifies the router that originated the LSA. • i.e., the router ID • Link State ID – identifies the part of the AS that is being described by the LSA. • i.e., the router ID The two fields must have the same value. – But, the OSPF spec does not specify a check to verify this on LSA reception!

  19. The Vulnerability • According to the OSPF spec (Sec. 13.4) – A router fights back only if it receives a false LSA in which • “ the Advertising Router is equal to the router's own Router ID ” • If the victim router receives a false LSA having: – Link State ID = victim router’s ID – Advertising Router ≠ victim router’s ID • Then, no fight back is triggered by the victim! – This is despite the fact that the LSA claims to describe links of the victim router itself.

  20. Illustration - False LSA The false LSA is sent by the attacker. victim No Fight back is triggered! Flooding proceeds as usual. All routers install the false LSA in their LSA DBs! The OSPF spec guarantees it.

  21. But wait, it’s not that simple… • There should be a problem: – Remember Sec. 12.1? An LSA is identified by both: • Advertising Router, and • Link State ID – Hence, the false LSA has a different identifier than that of the valid LSA ( different Advertising Router fields). • This means that the two LSAs are different from the OSPF point of view. – This potentially makes the attack futile • The false LSA is installed in the LSA DB, but may simply be ignored by all routers while they keep using the valid LSA

  22. Ambiguity • On the other hand, according to the OSPF spec (Sec. 16.1) – During the routing table calculation LSAs are looked up in the LSA DB • “ This is a lookup … based on the Vertex ID “ only! – Vertex ID = Link State ID • This is an ambiguity in the spec – According to Sec. 12.1 an LSA is identified by the tuple (Link State ID, Adv. Router). – On the other hand, according to Sec. 16.1 an LSA is looked up by the Link State ID only.

  23. Ambiguity (cont.) • All the routers in the AS (including the victim!) have in their LSA DBs two LSAs with the same Link State ID. – the false LSA, and – the valid LSA. • Which LSA will be considered during the routing table calculation? – The OSPF spec does not provide an answer… – Hence, this is implementation dependent

  24. Cisco • Holds about 75% of the global enterprise router market.

  25. Validation on Cisco • We use GNS3 emulation software with production IOS image. • Cisco IOS 15.0(1)M – Almost latest IOS version. • This is the latest version we can get our hands on. • 7200-series routers. • The Scapy attack scripts are attached.

  26. Validation on Cisco (cont.) • Findings: – A false LSA with higher seq. num. than that of the valid LSA will replace the valid LSA in the LSA DB. • This happens in all routers including the victim! before after

  27. Validation on Cisco (cont.) • Findings (cont.): – All the routers consider the false LSA during their routing table calculation! • All routers except the victim build their routing table accordingly. – The victim’s routing table is erased. • No OSPF path is calculated. – This probably happens since Cisco’s OSPF implementation fails to find in the LSA DB during the routing table calculation an LSA with an Advertising Router field that equals to the current router ID.

  28. Validation on Cisco (cont.) • The victim’s routing table erasure is persistent! – The victim can not recover spontaneously. – The OSPF process must be re-initialized. • If it wishes, the attacker can undo the erasure by sending another false LSA but with an Advertising Router = victim’s ID. • The victim will fight back and the valid LSA is reinstalled.

  29. Attack Application Example #1 • Black hole – The false LSA announces that the victim router is directly connected to some external destination (e.g. the IP range of google.com) – All AS traffic to that destination will be directed to the victim router which will simply drop the packets. victim google.com

  30. Attack Applications Example #2 • Traffic diversion – The false LSA announce no links for the the victim router – All traffic will circumvent the victim. • Taking alternative routes, if such routes exist. • If not, the AS is partitioned. • Green and red paths are before and after the attack, respectively. victim

  31. Conclusions • We have presented a new attack the exploits the ambiguity in the OSPF spec. • The attack is successful against a Cisco router – Potentially many other commercial routers may be vulnerable. • Using this attack one can control the routing domain from a single router.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Routing Table Status Report November 2005 IPv4 Routing Table Size - Aug IPv4 Routing Table Size

Routing Table Status Report November 2005 IPv4 Routing Table Size - Aug IPv4 Routing Table Size

Geoff Huston APNIC Routing Table Status Report November 2005 IPv4 Routing Table Size - Aug IPv4 Routing Table Size - Nov Data assembled from Route Views data. Each colour represents a time series for a single AS. The major point here is

686 views • 45 slides
4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has

4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has

4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has columns for the destination network (or hosts) with the corresponding cost and the next router address to reach a destination. Additional

1.08k views • 84 slides
1 Routing Table Routing Table Destination network Next router

1 Routing Table Routing Table Destination network Next router

Lecture 12. Lecture 12. Introduction to Introduction to IP Routing IP Routing Giuseppe Bianchi Why introduction? Why introduction? Routing: very complex issue need in-depth study entire books on routing our scope: give a

552 views • 19 slides
Scalable Routing Outline Routing Algorithms Scalability 1 Overview Forwarding vs Routing

Scalable Routing Outline Routing Algorithms Scalability 1 Overview Forwarding vs Routing

Scalable Routing Outline Routing Algorithms Scalability 1 Overview Forwarding vs Routing forwarding: to select an output port based on destination address and routing table routing: process by which routing table is built

543 views • 13 slides
IS OWNING A CAT BETTER Elie J. Diner, PhD SlideTalk THAN OWNING A DOG? University of Cat

IS OWNING A CAT BETTER Elie J. Diner, PhD SlideTalk THAN OWNING A DOG? University of Cat

IS OWNING A CAT BETTER Elie J. Diner, PhD SlideTalk THAN OWNING A DOG? University of Cat HUMANS HAVE DOMESTICATED MANY DIFFERENT TYPES OF ANIMALS AS PETS Canis lupus Oryctolagus Felis catus Carassius familiaris cuniculus auratus PHOTO

158 views • 11 slides
Routing Table Status Report March 2005 IPv4 Routing Table Size Data assembled from Route Views

Routing Table Status Report March 2005 IPv4 Routing Table Size Data assembled from Route Views

Geoff Huston Routing Table Status Report March 2005 IPv4 Routing Table Size Data assembled from Route Views data. Each colour represents a time series for a single AS. The major point here is that there is no single view of routing. Each

335 views • 14 slides
Interplay between routing and forwarding routing algorithm Routing Algorithms and Routing local

Interplay between routing and forwarding routing algorithm Routing Algorithms and Routing local

Interplay between routing and forwarding routing algorithm Routing Algorithms and Routing local forwarding table header value output link in the Internet 0100 3 0101 2 0111 2 1001 1 value in arriving packets header 1 0111 2 3

403 views • 8 slides
CS 557 Landmark Routing The Landmark Hierarchy: A New Hierarchy For Routing in Very Large

CS 557 Landmark Routing The Landmark Hierarchy: A New Hierarchy For Routing in Very Large

CS 557 Landmark Routing The Landmark Hierarchy: A New Hierarchy For Routing in Very Large Networks Paul Tsuchiya, 1988 Spring 2013 Landmark Routing Objective: Reduce the routing table size without increasing path length by a large

458 views • 15 slides
OpenOSPFD Claudio Jeker <claudio@openbsd.org> Introduction maintain routing table

OpenOSPFD Claudio Jeker <claudio@openbsd.org> Introduction maintain routing table

OpenOSPFD Claudio Jeker <claudio@openbsd.org> Introduction maintain routing table automatically choose "best" path recover from network failures (reroute) default free routing divide Internet into autonomous systems (AS) same

545 views • 28 slides
Network layer Distributed Routing: Distance Vector Routing Distance Vector Routing Principle

Network layer Distributed Routing: Distance Vector Routing Distance Vector Routing Principle

IN2140: Introduction to Operating Systems and Data Communication Network layer Distributed Routing: Distance Vector Routing Distance Vector Routing Principle every IS maintains a table (i.e., vector) stating best known distance to

268 views • 7 slides
Typical P2P routing P2P network of N nodes Node s maintains a routing table T s = { ( u, IP

Typical P2P routing P2P network of N nodes Node s maintains a routing table T s = { ( u, IP

C YCLIC R OUTING IN S TRUCTURED P EER - TO -P EER N ETWORKS D MITRY K ORZUN A NDREI G URTOV AND Petrozavodsk Helsinki Institute State for Information University Technology AMICT 2008 seminar 20.05.2008 Typical P2P routing P2P network

327 views • 15 slides
Routing Process of distributing information through network so routers can build forwarding

Routing Process of distributing information through network so routers can build forwarding

Routing Process of distributing information through network so routers can build forwarding tables Forwarding vs. routing tables Forwarding table maps network number to interface, data link address Routing table maps network

330 views • 12 slides
Owning Your Home Network: Router Security Revisited Marcus

Owning Your Home Network: Router Security Revisited Marcus

Owning Your Home Network: Router Security Revisited Marcus Niemietz, Jrg Schwenk {marcus.niemietz, joerg.schwenk} @rub.de Ruhr University Bochum Table of

623 views • 24 slides
IPv6 Potential Routing Table Size IPv6 Potential Routing Table Size IPv6 Potential Routing Table

IPv6 Potential Routing Table Size IPv6 Potential Routing Table Size IPv6 Potential Routing Table

IPv6 Potential Routing Table Size IPv6 Potential Routing Table Size IPv6 Potential Routing Table Size Jason Schiller Jason Schiller schiller@uu.net schiller@uu.net Sven Maduschke Sven Maduschke sven.maduschke@verizonbusiness.com

763 views • 22 slides
Implementing IPv6 Segment Routing David Lebrun <david.lebrun@uclouvain.be> UCLouvain

Implementing IPv6 Segment Routing David Lebrun <david.lebrun@uclouvain.be> UCLouvain

Implementing IPv6 Segment Routing David Lebrun <david.lebrun@uclouvain.be> UCLouvain Netdev 1.2, Tokyo, October 2016 1/35 Table of Contents Segment Routing Implementation Network Function Virtualization Conclusion 2/35 Table of

470 views • 35 slides
Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing

Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing

Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing [Kleinberg04] J. Kleinberg, A. Slivkins, T. Wexler. Triangulation and Embedding using Small Sets of Beacons. Proc. 45th IEEE Symposium on Foundations of

450 views • 32 slides
Guided Pathways at California Community Colleges WELCOME! Choose an index card from the table

Guided Pathways at California Community Colleges WELCOME! Choose an index card from the table

Guided Pathways at California Community Colleges WELCOME! Choose an index card from the table GREEN: Classified employees YELLOW: Faculty BLUE: Administrators Note the table number on your card and find your table (Hold on

607 views • 22 slides
X1D: Create Pivot Tables using Excel 2013 3/07/2018 V1N Create Pivot Tables using Excel 2013 1

X1D: Create Pivot Tables using Excel 2013 3/07/2018 V1N Create Pivot Tables using Excel 2013 1

X1D: Create Pivot Tables using Excel 2013 3/07/2018 V1N Create Pivot Tables using Excel 2013 1 Create Pivot Tables using Excel 2013 2 X1D: V1N X1D: V1N Creating Pivot Tables The Goal Using Excel 2013 Goal: to show the steps involved in

470 views • 28 slides
Table Augmentation SIGIR 2019 tutorial - Part V Shuo Zhang and Krisztian Balog University of

Table Augmentation SIGIR 2019 tutorial - Part V Shuo Zhang and Krisztian Balog University of

Table Augmentation SIGIR 2019 tutorial - Part V Shuo Zhang and Krisztian Balog University of Stavanger Shuo Zhang and Krisztian Balog Table Augmentation 1 / 42 Motivation Working with tables/spreadsheets is a labour-intensive task Table

687 views • 42 slides
T4-Input/Output License This document is under a license Attribution Non-commercial - Share

T4-Input/Output License This document is under a license Attribution Non-commercial - Share

9/9/19 T4-Input/Output License This document is under a license Attribution Non-commercial - Share Alike under the same Creative Commons 3.0 license. To see a summary of the license terms, visit:

505 views • 47 slides
Hash Tables Lecture # 06 Database Systems Andy Pavlo AP AP Computer Science 15-445/15-645

Hash Tables Lecture # 06 Database Systems Andy Pavlo AP AP Computer Science 15-445/15-645

Hash Tables Lecture # 06 Database Systems Andy Pavlo AP AP Computer Science 15-445/15-645 Carnegie Mellon Univ. Fall 2018 2 UPCO M IN G DATABASE EVEN TS MapD Talk Thursday Sept 20 th @ 12:00pm CIC 4 th Floor CMU 15-445/645 (Fall

802 views • 78 slides
Optimizing Lua Applications for LuaJIT and OpenResty agentzh@openresty.org Yichun Zhang

Optimizing Lua Applications for LuaJIT and OpenResty agentzh@openresty.org Yichun Zhang

Optimizing Lua Applications for LuaJIT and OpenResty agentzh@openresty.org Yichun Zhang (@agentzh) 2016.9 NGINX + LuaJIT Flame Graphs I/O Off -CPU Flame Graphs # assuming the nginx worker process to be analyzed is 10901.

1.35k views • 85 slides
Boomerang Connectivity Table: A New Cryptanalysis Tool Carlos Cid 1 , Tao Huang 2 , Thomas Peyrin

Boomerang Connectivity Table: A New Cryptanalysis Tool Carlos Cid 1 , Tao Huang 2 , Thomas Peyrin

Boomerang Connectivity Table: A New Cryptanalysis Tool Carlos Cid 1 , Tao Huang 2 , Thomas Peyrin 2 , Yu Sasaki 3 and Ling Song 2,4 1. Royal Holloway, University of London, UK 2. Nanyang Technological University, Singapore 3. NTT Secure Platform

799 views • 25 slides
Process Address Spaces and Binary Formats Don Porter 1 COMP 530: Operating Systems Background

Process Address Spaces and Binary Formats Don Porter 1 COMP 530: Operating Systems Background

COMP 530: Operating Systems Process Address Spaces and Binary Formats Don Porter 1 COMP 530: Operating Systems Background Weve talked some about processes This lecture: discuss overall virtual memory organization Key

1.11k views • 38 slides

More recommend