BY MICHAEL SUDKOVITCH AND DAVID ROITMAN UNDER THE GUIDANCE OF DR. GABI NAKIBLY OSPF Security project: Summary.

BY MICHAEL SUDKOVITCHAND DAVID ROITMAN

U N D E R T H E G U I D A N C E O F D R . G A B I N A K I B LY

OSPF Security project:Summary

Project goals

Find OSPF vulnerabilities.

Investigate new means of disrupting traffic in networks running OSPF.

Implement our attacks and measure their effectiveness.

Project milestones

• Detailed Study of RFC 2328 (OSPFv2).• Research on known attacks implemented so

far.• Learning to work with OMNet++

Environment and constructing sample networks using it.

• Invention of new attacks on OSPF.• Implementation of the attacks using OMNet+

+.• Collecting and analyzing the attack’s results.

Introduction to OSPF

OSPF: Open Shortest Path First (RFC 2328)

OSPF is a routing protocol designed to work on Autonomous Systems (AS)

Provides shortest path routes to any destination in the AS.

How does it work?

Routers discover one another using Hello messages.

They use LSA messages to exchange routing information between themselves.

Using LSA, each OSPF router creates a graph representing the structure of the AS.

All the OSPF routers in the network eventually converge to the same graph.

From that graph the OSPF router builds a shortest path tree with itself as root using the Dijkstra algorithm.

Assumptions

Our only assumption is that we have full control over a single OSPF router. From there, we have to cause maximum damage to the AS. Therefore, overcoming OSPF Authentication

Protection is trivial, since the authentication key is known to us.

Proposed Attacks Introduction

We discovered and implemented three different attacks on the OSFP algorithm.

Our attacks exploit the Hello algorithm and a special kind of LSA messages, called Network LSAs.

These Network LSAs are being sent by a DR – a Designated Router, which is elected amongst other routers adjacent to a network – according to a pre-set priority of each router.

Proposed Attacks Introduction - cont.

There are two main types of networks, transit and stub.

Transit networks allow the travel of foreign packets through them. Stubs do not.

We exploit weaknesses in the Designated router election process in order to eliminate the network LSAs being sent by that network.

Once a transit network is deprived of it’s network LSAs, it becomes a stub.

All routes that used to pass through it, now can not.

Our example AS

Attack 1

Can be launched on the compromised router only.The compromised router falsifies its priority to be

the highest possible.It is then elected to be the DR for its network.And then stops sending Network LSA.Once no Network LSAs are sent for a specific

network, it becomes a stub network; new routes must be set; connectivity may be broken.

Pros: Easy implementation.Cons: The compromised router may be easily

spotted.

Attack 2

Can be launched upon routers adjacent to the attacker.

The compromised router A sends Hello messages, impersonating himself as a neighboring router B.

Router A also advertises a false high priority for B.

Hence, B is elected to become a DR without knowing it.

B will not send Network LSAs because it is not aware of itself being a DR.

Pros: The actual attacker is hidden! He is also able to choose which router to attack.

Cons: Somewhat more difficult to implement.

Attack 2 statistics

Attack 3

The compromised router can target any network in the AS.

The compromised router sends a malicious hello message with high priority to the designated router of some network.

That designated router then thinks that the attacking router will now be the new DR. Hence, it stops sending network LSAs and relinquishes DR control.

The attacking router doesn’t send them either.

The network becomes a stub.

Attack 3 statistics

Example - Before the attack

H3 to H2 cost is 6H1 to H2 cost is 3H4 to H2 cost is 7

Example - After an attack on N1

H3 to H2 cost was 6 now 8

H 1 to H2 cost was 3 now 9

H4 to H2 cost was 7 now 11

Comparing the two attacks

Conclusions: Choosing an attack

Which attack should we choose. Attack 2 is always preferable to attack 1. Attacks 2 and 3 have different effects. Possible to combine between attacks.

Which network should we choose to attack. Some networks are more vulnerable to attack

then others. Especially networks that create a partition. Attack 3 can reach more distant networks.