RIP, EIGRP, OSPF, IS-IS, BGP, MPLS, VTP, STP.
roggy
Senior Member
Posts:
346
Joined:
Tue Apr 08, 2008 10:09 am

Blackhat-ospf-vulnerability

Thu Aug 04, 2011 11:27 am

Last edited by roggy on Thu Aug 04, 2011 11:36 am, edited 1 time in total.

User avatar
mellowd
CCIE #38070
Posts:
13814
Joined:
Wed Jun 18, 2008 7:49 am
Certs:
CCIE (RS,SP), JNCIE-SP, BC-/SPNE/NP

Re: Blackhat-ospf-vulnerability

Thu Aug 04, 2011 11:34 am

Hmm, so even authenticating your links is no good?

User avatar
jdsilva
Post Whore
Posts:
5347
Joined:
Mon Jan 17, 2005 11:01 pm
Certs:
CCNP

Re: Blackhat-ospf-vulnerability

Thu Aug 04, 2011 11:38 am

No, authenticating your links will mitigate this. It says down lower down:

The exploit requires one compromised router on the network so the encryption key used for LSA traffic among the routers on the network can be lifted and used by the phantom router.


Well no shit Sherlock. If you compromise a router first, and get all the info you need to join yourself to the routing domain, of course you can inject false information.

This isn't news, or an exploit. It's FUD.

User avatar
mellowd
CCIE #38070
Posts:
13814
Joined:
Wed Jun 18, 2008 7:49 am
Certs:
CCIE (RS,SP), JNCIE-SP, BC-/SPNE/NP

Re: Blackhat-ospf-vulnerability

Thu Aug 04, 2011 11:41 am

Ah I see.

Well that isn't as bad an issue as I thought it would be. You should be authenticating your OSPF links by default anyway.

Unless you're running IPv6 of course: http://mellowd.co.uk/ccie/?p=1421

roggy
Senior Member
Posts:
346
Joined:
Tue Apr 08, 2008 10:09 am

Re: Blackhat-ospf-vulnerability

Thu Aug 04, 2011 11:43 am

Yeah thats pretty much what I managed to dig out from the presentation - in fact I think you even need to run the attack from router that already has a adjacency.

i.e. even if you dont have authentication simply sending crafted hellos wont work either.

So simply making sure you have "passive" by default and only enabling on trusted segments works too.

User avatar
that1guy15
Post Whore
Posts:
3224
Joined:
Thu Apr 29, 2010 6:12 pm
Certs:
CCNP, CCDP, CCIP

Re: Blackhat-ospf-vulnerability

Thu Aug 04, 2011 11:47 am

Thats on the same note as being able to hack someones computer if you get their password! Sure it might be a little harder to obtain the OPPF encyrption key but still. If you get the golden key then you own the network, no mater what technologies are being used
http://blog.movingonesandzeros.net/

User avatar
jdsilva
Post Whore
Posts:
5347
Joined:
Mon Jan 17, 2005 11:01 pm
Certs:
CCNP

Re: Blackhat-ospf-vulnerability

Thu Aug 04, 2011 11:59 am

roggy wrote: in fact I think you even need to run the attack from router that already has a adjacency.

No, that's what the author is calling the "exploit" here. You send updates that appear to be coming from a legitimate neighbour. You would spoof your source IP/MAC and pretend that you are the DR (for example).

chrismarget
Senior Member
Posts:
387
Joined:
Wed Jan 26, 2011 3:38 pm

Re: Blackhat-ospf-vulnerability

Thu Aug 04, 2011 12:56 pm

To initiate the attack the phantom router introduces itself as being adjacent to the victim router, which must be the designated router on the network.


Attacker adjacent to an OSPF router? passive interface, anyone? I don't even recommend authentication to customers who aren't using it, because what's the point? If the attacker is in the MDF, unplugging wires plugged into active OSPF interfaces, the game is already over.

Furthermore, what's the application for even having DRs in a modern network? I've got a few, where I'm adjacent with a clustered firewall, but even those make me uncomfortable. <opinion>If your LSDB is full of 'network' LSAs, you're doing it wrong</opinion>

reaper
Senior Member
Posts:
350
Joined:
Sat May 06, 2006 4:00 pm
Certs:
CCIE #37149 , CCNP, CCDA

Re: Blackhat-ospf-vulnerability

Thu Aug 04, 2011 1:23 pm

Well. Running a DR will be default on broadcast and non broadcast networks even though most Ethernet interfaces are P2P if used for transit links etc. I guess you could set all links to P2P manually but easy to forget it on one side then.
http://lostintransit.se

chrismarget
Senior Member
Posts:
387
Joined:
Wed Jan 26, 2011 3:38 pm

Re: Blackhat-ospf-vulnerability

Thu Aug 04, 2011 1:37 pm

reaper wrote:you could set all links to P2P manually but easy to forget it on one side then.
That's what I'm getting at.

I always configure routed links as /31 subnets with 'ip ospf network point-to-point'. It speeds up forming of adjacencies, lowers the LSA count, and simplifies the SPF topology.

'network' LSAs count as nodes from Dijkstra's perspective, complicate path selection.

Unless you've got single-subnet frame relay (nobody does this), or you really have several routers plugged into an L2 broadcast domain (more common, requires tweaking to speed up convergence), there's no reason to run things as a multiaccess network node.

If you mismatch the types, well... Don't do that :-)

User avatar
mellowd
CCIE #38070
Posts:
13814
Joined:
Wed Jun 18, 2008 7:49 am
Certs:
CCIE (RS,SP), JNCIE-SP, BC-/SPNE/NP

Re: Blackhat-ospf-vulnerability

Thu Aug 04, 2011 1:44 pm

I do a lot of VPLS solutions so running OSPF broadcast on the CPEs back into the core so they each speak to each other is extremely common

chrismarget
Senior Member
Posts:
387
Joined:
Wed Jan 26, 2011 3:38 pm

Re: Blackhat-ospf-vulnerability

Thu Aug 04, 2011 1:51 pm

mellowd wrote:I do a lot of VPLS solutions so running OSPF broadcast on the CPEs back into the core so they each speak to each other is extremely common

Mmm.. That's a good use case. I don't think this particular OSPF security issue will be your primary concern if an attacker is L2 adjacent with your VPLS core :-)

User avatar
mellowd
CCIE #38070
Posts:
13814
Joined:
Wed Jun 18, 2008 7:49 am
Certs:
CCIE (RS,SP), JNCIE-SP, BC-/SPNE/NP

Re: Blackhat-ospf-vulnerability

Thu Aug 04, 2011 1:56 pm

Indeed. We still use ospf authentication as it's a good practice regardless.

Reggle
Post Whore
Posts:
1956
Joined:
Sun May 15, 2011 4:16 pm
Certs:
CCNA Security, CCNP, CCDP

Re: Blackhat-ospf-vulnerability

Thu Aug 04, 2011 2:22 pm

mellowd wrote:Unless you're running IPv6 of course: http://mellowd.co.uk/ccie/?p=1421

If I remember correctly, it is stated by the RFCs that any IPv6 device should support IPsec (not implement, but support). Cisco is violating this guideline then?
http://reggle.wordpress.com

User avatar
mellowd
CCIE #38070
Posts:
13814
Joined:
Wed Jun 18, 2008 7:49 am
Certs:
CCIE (RS,SP), JNCIE-SP, BC-/SPNE/NP

Blackhat-ospf-vulnerability

Thu Aug 04, 2011 4:19 pm

Reggle wrote:
mellowd wrote:Unless you're running IPv6 of course: http://mellowd.co.uk/ccie/?p=1421

If I remember correctly, it is stated by the RFCs that any IPv6 device should support IPsec (not implement, but support). Cisco is violating this guideline then?

If it is a guideline, it's been violated


Sent on the move...

just2cool
Member
Posts:
137
Joined:
Fri Dec 24, 2010 12:11 am
Certs:
Expired 350-001

Re: Blackhat-ospf-vulnerability

Sat Aug 06, 2011 3:58 pm

roggy wrote:So simply making sure you have "passive" by default and only enabling on trusted segments works too.

Yup, exactly my thoughts ... no one should build adjancies on host vlans for 9 million reasons. Absolutely terrible practice.

'

Return to Cisco Routing and Switching

Who is online

Users browsing this forum: SuekeynC and 158 guests