Routing Attacks - PowerPoint PPT Presentation

1 / 40

About This Presentation

Title:

Routing Attacks

Description:

RIP - Cont'd ... RIP implicitly assumes: every router is trusted and so are ... The attackers have to persistently inject bad LSAs in order for it to stick' ... – PowerPoint PPT presentation

Number of Views:438

Avg rating:3.0/5.0

Slides: 41

Provided by: yianh

Category:

more less

Transcript and Presenter's Notes

Title: Routing Attacks

1
Routing Attacks

CS 6262 Fall 03
(Monday, 10/21/2002)

2
Routing Infrastructure Security Issues

What is routing involved?
How is it typically done?
Some attack examples

3
Routing Concept and Protocols

Routing information
Routing information exchange protocols
RIP (Routing Information Protocol)
OSPF (Open Shortest Path First Protocol)
BGP (Border Gateway Protocol)
Comparison

4
Routing
Routers/ Switches
SRC
DST
I want to know the shortest path
So, the routers must exchange local information!
5
IP Routing

Routing is based on network addresses
Routers use forwarding table
Destination, next hop, network interface, metric
Table look-up for each packet
Need to recognize address structure
Routing information exchange allows computation
of new routes, which is used to update the
forwarding table

6
Routing Protocol Framework - Information Model
OSPF
RIPv2
BGP4
RIB
RIB
RIB
Forwarding Information Base
(Dest, NextHop, Routing Metrics)
FIB
FIB
Forwarding Algorithm
Forwarding Decision
NPDU Header (Network Protocol Data Unit)
7
Routing Information

Link State I have these links to XYZ (routers or
networks) their current status is (e.g.,
delay)
Distance Vector I can get to XYZ (networks) in m
hops

8
Distribution of Routes - Distance Vector
Every node sends its neighbor a vector the of
hops of reaching each other node.
B
A
C
9
Link State

A node sends to its neighbors the state of
its directly connected links up/down and costs.
Each node that receives the information forwards
it to all its neighbors.
10
Routing Protocol Framework --Operation Model

Neighbor Acquisition
Neighbor Reachability
Routing Information Exchange
Route Generation and Selection
Neighbor Relationship Termination

11
Operation Model - Neighbor
Acquisition
HELLO ?
I AM HERE!
12
Operation Model - Neighbor
Reachability
ARE YOU ALIVE?
OF COURSE, I AM !
13
Operation Model - Routing Information
Exchange
Hey, Here is the routing information I got so far
Hmm, some of them are obsolete, Here is my update
14
Operation Model - Route Generation
and Selection
application Layer network Layer
15
Operation Model - Neighbor Relationship
Termination
Good Bye

See You Later
16
Routing Security

Routing Information Exchange
correctness of Routing Information Base
Interface between RIB and FIB
configuration, FIB update etc.
Kernel-Level (IP) Packet Forwarding
Is the packet forwarded according to the FIB?

17
RIP

Routing information protocol is a simple distance
vector protocol
Initialization
When the routing daemon is initialized, it sends
requests through each network interface
Neighboring routers will reply with routing table
information
Updates
Routers advertise tables with neighbors
periodically (30 seconds) or triggered by route
changes.

18
RIP - Contd

To prevent route oscillation, existing routes are
retained until a new one is discovered with
strictly lower cost
Split-Horizon Update
Routers do not advertise a route on an interface
from which it learned of the route in the first
place!

19
Properties RIP

Good news travels fast Bad news travels slowly
Routing loop, routing inconsistency, and slow
convergence
Security
Ripv2 provides simple password authentication
Black hole routers possible

20
Route Convergence - good news
A 0
A 1
A 2
A 3
A 4
A 5
1
1
1
1
1
G5
G1
G2
G4
G3

G1 happily advertises route to network A with
distance 1
G2-G5 quickly learns the good news and install
the routes

21
Route Convergence - bad news
A 0
A 3
A 2
A 3
A 4
A 5
8
1
1
1
1
G2
G3
G1
G5
G4

G1s link to A goes down
G1 learns a better route via G2
Packets going to A through G2 will loop between
G2 and G1
G1 and G2 will find the cost of their routes to
A slowly count to infinity
Use a number, e.g., 16, to approximate infinity
Split horizon only prevents loops involving two
nodes

22
Black Hole
D
A 3 hops B 2 hops C 2 hops
B
You G
E
A
F
Your Neighbor H
Who wont jump on a better route?
C
A 1 hop

C lies easily about routes to A
Your neighbor and you look into the routes

23
Food for Thought...

RIP implicitly assumes every router is trusted
and so are routing information packets
Every router is entitled to tell others I have a
short cut to Pluto that is just one hop
Is it possible to prevent RIP black hole attacks?
Is is possible to detect RIP black routers?

24
One possible improvement

Predecessor is the second-to-last network is the
path from the source to the destination
Inclusion of predecessor allows implicit
reconstruction of the whole path
Helps to validate the integrity of distance

25
Predecessor
D
A B
A B
A B
B
You G
E
A
A B
F
A B
Your Neighbor H
A F
C
A B 4 B D 3 C C 1 D G 2 E G 2 F B 4 G G 1
A B
A 1 hop
26
OSPF

Link State routing protocol (RFC1583)
Routers are organized in domains and areas
Hello message for neighbor acquisition
Link State information are flooded through the
whole area
A topology database is maintained by every router

27
Important LSA Fields

Advertising router ID (originator)
Advertised link or network ID
Sequence number 0x80000001,0x7fffffff
Age 0, 60 minutes

28
When to Originate a LSA?

Upon link state changes, or
Upon timer expiration

29
Questions to Ask

How do you know one LSA is fresher than the
other?
An LSA originated by you will be received by
every router will you receive the LSA originated
by you?
Will the sequence number wrap-around cause any
problem? (i.e., 0x7fffffff)
Age 1 hour

30
Sequence old vs. new LSAs
0x80000001
ATM
Next 0x80000002
Only accept LSAs with newer/larger Seq.
31
Sequence Self-Stabilization
(1). 0x90001112
(2). router crashes.
(3). 0x80000001.
ATM
(5). 0x90001113
up
(4). 0x90001112 an old copy still exists!
32
Flushing via Premature Aging
Specified behavior when Seq wraps around
(1),(2),(3)
33
Attack the Routing Infrastructure(Vicious
Advertising Routers)
Flooding
up
up
EVIL!
up
1. up down 2. not exist up
up
Impact varies depending on how critical the link
is to the world!
34
Attack the Routing Infrastructure(Vicious
Intermediate Routers)
Flooding
up
EVIL!
All the links can be attacked
up
Authentication, please come to the rescue!
35
Exchanging without LSA Signature?
If attackers can just change the content of LSAs
without being detected, the routers must use all
LSAs with care!
36
Fight-Back - Originator Reaction
Seq
ATM
(1) 0x90001112
(3) 0x90001114 fight-back
(2) 0x90001113 seq attack
37
Signature - How Critical?

Observations
Prolonged fight-back will not happen in real
attacks
Whats preventing the attacker from using
LS_seqMaxSeq?
Can you prevent false LSA without signature?
Can you determine who did it after you realize
that youve been fooled without signature?
What needs to be signed by whom anyway?

38
OSPF Security Strength

In most benign cases, if something goes wrong,
the advertising router will detect it and try to
correct it by generating new LSAs
The attackers have to persistently inject bad
LSAs in order for it to stick
Self-Stabilization Protocols force the attackers
to perform persistent attacks

39
Detection of Hit-and-Run vs. Persistent Attacks

Hit-and-Run Attacks Hard to Detect/Isolate
Inject one (or very few) bad packet but cause
lasting damaging effect
Persistent Attacks
Attackers have to continuously inject attack
packets in order to inflict significant damages
OSPF type of Link State protocols are resilient
to hit-and-run attacks

40
Secure Protocol/system Design?

If we can force the attackers to launch
persistent attacks, we have a better chance to
detect and isolate the attack sources
OSPF flooding coupled with periodic LSA does a
fairly good job because it is refreshing link
state persistently!
What other implications do flooding have on
security?

41
Security Efforts