Presentation is loading. Please wait.

Presentation is loading. Please wait.

PROJECT IN COMPUTER SECURITY - 236349 IS-IS ROUTING ATTACKS Supervisor Gabi Nakibly, Ph.D. Students Bar Weiner, Asaf Mor Spring 2012.

Published byAndres Haine Modified over 9 years ago

Similar presentations

Presentation on theme: "PROJECT IN COMPUTER SECURITY - 236349 IS-IS ROUTING ATTACKS Supervisor Gabi Nakibly, Ph.D. Students Bar Weiner, Asaf Mor Spring 2012."— Presentation transcript:

1 PROJECT IN COMPUTER SECURITY - 236349 IS-IS ROUTING ATTACKS Supervisor Gabi Nakibly, Ph.D. Students Bar Weiner, Asaf Mor Spring 2012

2 Project Description In this project we found exploits in the IS-IS routing protocol that will allow attackers to disrupt the normal behavior of any AS running this protocol.

3 What is IS-IS? A link-state advertising routing protocol within autonomous systems (like OSPF), mostly used by ISPs networks.  Link-State Advertising routing protocol – Every switching node (router) in the network constructs a graph representing the network. Each node then independently calculates the best paths to all the other nodes and use them to create a routing table.  Autonomous Systems - A collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet.

4 What is IS-IS?  A large domain may be administratively divided into areas to maintain small routing tables.  Routing within an area is referred to as Level 1 routing.  Routing between areas is referred to as Level 2 routing.  Discovering Neighbors  Each intermediate system (e.g. router) sends hello messages to its neighbors periodically.  Constructing the network topology  Each IS floods LSPs to its neighbors and also transmits LSPs of others.  Each IS deduces the topology of its own area using the LSPs it receives.  Building the routing table  Uses Dijkstra's algorithm in order to find shortest paths to all destinations.  Forwarding packets  Looks up in the routing table for the next hop for each destination.

5 Goals  Applying known OSPF attacks on IS-IS.  Finding new weaknesses of IS-IS for possible attacks.  Implementing the attacks on GNS3/Cisco.

6 Applying Known Attacks

7 Max Sequence Number Attack The attacker will send a fake LSP on behalf of other router with seq. number of SequenceModulus. The victim will try to activate the “fight-back” mechanism but it needs to wait MaxAge+ZeroAgeLifetime seconds (≈ 21 minutes) before sending a new LSP with S.N = 1. During this period, the fake LSP will be flooded and accepted among the routers. In OSPF, the attack was possible only in certain implementations.

8 Applying Known Attacks Additional known attacks were also adjusted to the IS-IS protocol. The final report includes more specific details about the modification needed for both these attacks and the presented one. We believe that all known OSPF attacks are also applicable on IS-IS. The adjustments are usually minor and almost trivial.

9 New IS-IS Weaknesses

10 Partition Repair Mechanism

11 Faking an Area Partitioning  In this attack we exploit a weakness in the “partition repair” mechanism in order to cause other routers to favor transmitting more packets through the attacker.  The attacker will activate the “partition repair” by sending a L2 LSP, marking itself as “Partition Designated L2 IS” (PDIS) in addition to the already existing PDIS of their common L1 area.  The ‘real’ PDIS will receive the attacker’s packet and will establish a virtual link to fix a partition that is actually a fake.

12 Faking an Area Partitioning - Continue  The attacker will attach a cost of 0 to this virtual link in his L1 LSPs advertisements for the more routers to choose routing via him.  The result: the attacker will become a preferred passage for more routing paths allowing him to eavesdrop, manipulate or discard more packets.

13 Faking an Area Partitioning - Continue Traffic from B to C will be routed through the attacker after the virtual link establishment because it created a shorter path than before. virtual link through L2 BC

14 Discovering L1 Network Topology  In this attack, a L2 attacker will be able to attain a full topology image of each one of the L1 areas.  Similarly to the previous attack, the attacker will establish a virtual link with the PDIS of another L1 area in the network, causing it to believe that the attacker is a partitioned part of its area.  This is possible by sending a L2 LSP that contains the area address of the victim, marking the attacker as a PDIS.

15 Discovering L1 Network Topology – Cont.  The attacker only needs to wait for L1 LSPs of the L1 routers of the attacked area to be sent over the virtual link.  It is possible to attack every area in the network in order to get a complete image of the whole network.

16 Discovering L1 Network Topology – Cont. virtual link through L2

17 Attacks Implementation

18  Cisco IOS doesn’t support virtual links. Thus, we were unable to implement and test our new attacks.  Therefore, we were asked to implement two known attacks: Disrupting Adjacencies and Disguised LSP.  We used the following tools :  GNS3 with Cisco IOS for 7200 platform.  Wireshark - a network protocol analyzer.  Scapy - a packet manipulation program.

19 Our Topology Attacker 172.16.1.0 172.16.2.0 172.16.3.0 172.16.4.0 172.16.5.0

20 Disrupting Adjacencies  Neighbors relationship in IS-IS is 2-sided. Hence, a link is fully established only if one finds its identity in his neighbor’s neighbors list.  The attacker periodically inject Hello PDUs on behalf of other router with an empty neighbors list.  The victims will then change the status of the link with that router from “Up” to “Initializing”.

21 Disrupting Adjacencies Attacker 172.16.5.0  R1 injects fake empty ‘Hello’s on behalf of R2.  R3 and R4 change their link status with R2 to “Initializing”.  R3 and R4 then remove R2 from their new LSPs.  The path from R6 to R2 through R3 is no longer available.

22 Disrupting Adjacencies System Id Interface State Type R1 Et1/0 Up L1 R2 Et1/0 Up L1 R4 Et1/0 Up L1 R6 Et1/1 Up L1 System Id Interface State Type R1 Et1/0 Up L1 R2 Et1/0 Init L1 R4 Et1/0 Up L1 R6 Et1/1 Up L1  Neighbors list and LSP of R3 before the attack:  Neighbors list and LSP of R3 during the attack:

23 Disrupting Adjacencies Attacker 172.16.5.0 Attacker 172.16.5.0  Running ‘show isis topology’ on router R4 shows us that the routing distance from R4 to R2 got longer to 4 hops. BeforeAfter

24 Disguised LSP  Two LSPs will be considered equal if they have the same sequence number, checksum and ~ age, regardless of their contents. The disguised LSP will be invalidated after ~21 minutes. Ref. Persistent OSPF Attacks Alex Kirshon, Dima Gonikman and Dr. Gabi Nakibly

25 Disguised LSP – Sequence of Events 876.117876.220892.520892.456892.519 Trigger LSP received at R3 and R4. Disguised LSP received at R3 and R4. Trigger LSP received at R8. "Fight back" sent from R8. Disguised LSP received at R8. Attacker sent Trigger & Disguised LSPs on behalf of R8. R7 ignored the fight back due to an early disguised LSP. Time Attacker 172.16.1.0 172.16.2.0 172.16.3.0 172.16.4.0 172.16.5.0

26 Disguised LSP IS-IS TID 0 paths to level-1 routers System Id Metric Next-Hop Interface SNPA R1 10 R1 Et1/0 ca04.10ec.001c R2 10 R2 Et1/0 ca05.10ec.001c R3 10 R3 Et1/0 ca07.11d0.001c R4 -- R5 20 R2 Et1/0 ca05.10ec.001c R6 20 R3 Et1/0 ca07.11d0.001c R7 30 R2 Et1/0 ca05.10ec.001c R3 Et1/0 ca07.11d0.001c R8 40 R2 Et1/0 ca05.10ec.001c R3 Et1/0 ca07.11d0.001c  Before the attack, R4 knows ways to R8 through R2 and R3:

27 Disguised LSP IS-IS TID 0 paths to level-1 routers System Id Metric Next-Hop Interface SNPA R1 10 R1 Et1/0 ca04.10ec.001c R2 10 R2 Et1/0 ca05.10ec.001c R3 10 R3 Et1/0 ca07.11d0.001c R4 -- R5 20 R2 Et1/0 ca05.10ec.001c R6 20 R3 Et1/0 ca07.11d0.001c R7 30 R2 Et1/0 ca05.10ec.001c R3 Et1/0 ca07.11d0.001c R8 **  After the attack, R4 doesn’t know even a single way to R8:

28 Disguised LSP IS-IS TID 0 paths to level-1 routers System Id Metric Next-Hop Interface SNPA R1 30 R5 Et1/0 ca00.0260.001d R6 Et1/0 ca01.0260.001d R2 20 R5 Et1/0 ca00.0260.001d R3 20 R6 Et1/0 ca01.0260.001d R4 30 R5 Et1/0 ca00.0260.001d R6 Et1/0 ca01.0260.001d R5 10 R5 Et1/0 ca00.0260.001d R6 10 R6 Et1/0 ca01.0260.001d R7 -- R8 **  All routers, except R8, fell victim to the attack.  As consequence, the routing table of R7 also been changed:

29 Disguised LSP  All routers, except R8, now believes that R8 doesn’t exist. Attacker 172.16.1.0 172.16.2.0 172.16.3.0 172.16.4.0 172.16.5.0

30 Disguised LSP IS-IS Level-1 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00 0x00000008 0x8458 989 0/0/0 R2.00-00 0x00000009 0xB3E4 998 0/0/0 R2.02-00 0x00000003 0x53DE 1122 0/0/0 R3.00-00 0x00000004 0x4F48 390 0/0/0 R3.01-00 0x00000005 0x9BBD 988 0/0/0 R3.02-00 0x00000003 0x72BC 1063 0/0/0 R4.00-00 * 0x00000007 0xD4FF 944 0/0/0 R5.00-00 0x00000006 0xB6D2 608 0/0/0 R6.00-00 0x00000006 0x295B 1195 0/0/0 R7.00-00 0x00000006 0x93E6 739 0/0/0 R7.01-00 0x00000002 0xD861 413 0/0/0 R8.00-00 0x00000003 0xF1CD 725 0/0/0 R8.01-00 0x000000A3 0x6F15 609 0/0/0  We used ‘show isis topology’ to inspect R4’s LSDB that contains, among other things, the sequence number of the last LSP that was received. Our seq. number can be seen on the last line, proving our disguised LSP has been accepted.

31 Max Sequence Number Attack R8>show isis database IS-IS Level-1 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00 0x00000007 0x8657 1118 0/0/0 R2.00-00 0x00000008 0xB5E3 855 0/0/0 R2.02-00 0x00000004 0x51DF 427 0/0/0 R3.00-00 0x00000007 0x494B 907 0/0/0 R3.01-00 0x00000005 0x9BBD 1025 0/0/0 R3.02-00 0x00000005 0x6EBE 1177 0/0/0 R4.00-00 0x00000007 0xD4FF 851 0/0/0 R5.00-00 0x00000007 0xB4D3 631 0/0/0 R6.00-00 0x00000007 0x275C 445 0/0/0 R7.00-00 0x0000000A 0x8BEA 1057 0/0/0 R7.01-00 0x00000005 0xD264 533 0/0/0 R8.00-00 * 0x00000004 0xEFCE 1055 0/0/0 R8.01-00 * 0x00000001 0xB472 1055 0/0/0 … R8> %CLNS-4-LSP_MAXSEQ: ISIS: attempt to exceed LSP maximum sequence number for LSP R8.01-00 … R8> show isis database

32 Conclusions and Insights  We’ve succeeded to theoretically apply all known OSPF attacks on IS-IS.  The adjustments that were done are trivial because the weaknesses are inherent to the link-state approach.  We predict that more attacks can be simulated successfully on IS-IS with relative ease.

Download ppt "PROJECT IN COMPUTER SECURITY - 236349 IS-IS ROUTING ATTACKS Supervisor Gabi Nakibly, Ph.D. Students Bar Weiner, Asaf Mor Spring 2012."

Similar presentations

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Link-State Routing Protocols Routing Protocols and Concepts – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Link-State Routing Protocols Routing Protocols and Concepts – Chapter.
Network Layer – Routing 2 Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.

Network Layer – Routing 2 Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—8-1 MPLS TE Overview Understanding MPLS TE Components.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—8-1 MPLS TE Overview Understanding MPLS TE Components.
BY MICHAEL SUDKOVITCH AND DAVID ROITMAN UNDER THE GUIDANCE OF DR. GABI NAKIBLY OSPF Security project: Summary.

BY MICHAEL SUDKOVITCH AND DAVID ROITMAN UNDER THE GUIDANCE OF DR. GABI NAKIBLY OSPF Security project: Summary.
Routing Protocol.

Routing Protocol.
By Alex Kirshon and Dima Gonikman Under the Guidance of Gabi Nakibly.

By Alex Kirshon and Dima Gonikman Under the Guidance of Gabi Nakibly.
1 LINK STATE PROTOCOLS (contents) Disadvantages of the distance vector protocols Link state protocols Why is a link state protocol better?

1 LINK STATE PROTOCOLS (contents) Disadvantages of the distance vector protocols Link state protocols Why is a link state protocol better?
Networks: Routing1 Network Layer Routing. Networks: Routing2 Network Layer Concerned with getting packets from source to destination Network layer must.

Networks: Routing1 Network Layer Routing. Networks: Routing2 Network Layer Concerned with getting packets from source to destination Network layer must.
1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.

1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.
Routing.

Routing.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Link-State Routing Protocols Routing Protocols and Concepts – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Link-State Routing Protocols Routing Protocols and Concepts – Chapter.
1 Computer Networks Routing Algorithms. 2 IP Packet Delivery Two Processes are required to accomplish IP packet delivery: –Routing discovering and selecting.

1 Computer Networks Routing Algorithms. 2 IP Packet Delivery Two Processes are required to accomplish IP packet delivery: –Routing discovering and selecting.
1 ECE453 – Introduction to Computer Networks Lecture 10 – Network Layer (Routing II)

1 ECE453 – Introduction to Computer Networks Lecture 10 – Network Layer (Routing II)
1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.

1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.
Delivery, Forwarding and

Delivery, Forwarding and
Routing Algorithms (Ch5 of Computer Network by A. Tanenbaum)

Routing Algorithms (Ch5 of Computer Network by A. Tanenbaum)
Link State Routing Protocol W.lilakiatsakun. Introduction (1) Link-state routing protocols are also known as shortest path first protocols and built around.

Link State Routing Protocol W.lilakiatsakun. Introduction (1) Link-state routing protocols are also known as shortest path first protocols and built around.
Open Shortest Path First (OSPF) -Sheela Anand -Kalyani Ravi -Saroja Gadde.

Open Shortest Path First (OSPF) -Sheela Anand -Kalyani Ravi -Saroja Gadde.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Link-State Routing Protocols Routing Protocols and Concepts – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Link-State Routing Protocols Routing Protocols and Concepts – Chapter.
1 CS 4396 Computer Networks Lab Dynamic Routing Protocols - II OSPF.

1 CS 4396 Computer Networks Lab Dynamic Routing Protocols - II OSPF.

Similar presentations

Ads by Google