A couple weeks ago I stumbled across a blog by Michael Kassner which discusses a set of problems with BGP (Border Gateway Protocol) that people in the security field have collectively declared an “internet time bomb”.
The main concerns were:
- BGP lacks the ability to check whether or not routing information is correct
- BGP announces availability but does not advertise throughput limitations of a link
- BGP’s slow response time when there is a major network time has occurred leading to disruptions in service
- BGP’s susceptibility to route hijacking (http://en.wikipedia.org/wiki/IP_hijacking) due to route announcements reaching segments they should not be reaching
For this blog I will focus on the last of these (#4), and more specifically on what can be done when routers advertise themselves or the networks to which they are attached. We’ll look at 2 simple examples.
The first example involves VRRP (Virtual Router Redundancy Protocol) which is a standards-based replacement for HSRP (Hot Standby Router Protocol). For both of these protocols, a pool of routers (2 or more) shares a virtual IP address. The router with the greatest priority is the one that handles the traffic.
If that router fails, the router with the next highest priority takes over, and so on. When VRRP keep-alive traffic is discovered by an attacker on a LAN segment, he/she can observe the VRRP configuration which can be used to mount a MitM (Man in the Middle) attack by becoming the highest priority router, hence redirecting all traffic through the attacker-controlled router.
This attack can be mounted using custom tools (i.e., Scapy could be used for this) or using tools such as Loki. Due to the fact that VRRP does not provide any sort of authentication or integrity checking, this type of attack is fairly easy to execute if VRRP keep-alive traffic is reaching the snooping interfaces of attackers.
The second example of exploitation via router feature/protocol involves OSPF (Open Shortest Path First). OSPF is an Interior Gateway Protocol (IGP) where participating members send out occasional multicast packets (on 126.96.36.199) advertising their availability to other routers and forming OSPF neighbor relationships.
When network topology changes, routers share information with neighbors which then propagates to other neighbors. If configured correctly, advertisements should not reach end user segments. However, misconfigurations are not uncommon and can be utilized by attackers positioned on segments where advertisements are reaching.
Once again using Loki (or other custom tools), it is possible to:
- Participate as an OSPF neighbor
- Enumerate the routing table
- Perform offline MD5 authentication cracking if MD5 is in use
- Insert new routes for the purpose of gaining MitM position
The examples above were made possible by information that should only be shared amongst routers reaching end user segments. How can these types of attacks be prevented or limited?
The simple answer is network administrators need to be diligent in filtering out this sort of traffic from reaching end users. Once routers, firewalls and other network devices have been configured to keep this traffic where it belongs, it is still useful to set up sniffers on end user LAN segments and alert, for example, when multicast packets on 188.8.131.52 are detected.
Additionally, other security devices can be helpful in detecting malicious activity involving routing protocols. This includes but is not limited to IDS, IPS, SIEM, FIM, firewalls with alerting, etc.
To sum up, routers spew a lot of information that often goes ignored until an attacker takes advantage of it. Awareness of misconfigurations and their effects is critical to preventing attackers from taking advantage of insecure features contained within many of the protocols that routers use to talk to one another.