Transcript 2011-02-3.presentationx

PROJECT IN COMPUTER SECURITY - 236349
IS-IS ROUTING ATTACKS
Supervisor
Gabi Nakibly, Ph.D.
Students
Bar Weiner, Asaf Mor
Spring 2012
Project Description
In this project we found exploits in the IS-IS
routing protocol that will allow attackers to
disrupt the normal behavior of any AS
running this protocol.
What is IS-IS?
A link-state advertising routing protocol within
autonomous systems (like OSPF), mostly used by
ISPs networks.


Link-State Advertising routing protocol – Every switching node
(router) in the network constructs a graph representing the network.
Each node then independently calculates the best paths to all the
other nodes and use them to create a routing table.
Autonomous Systems - A collection of connected Internet Protocol
(IP) routing prefixes under the control of one or more network
operators that presents a common, clearly defined routing policy to
the Internet.
What is IS-IS?


A large domain may be administratively divided into areas to maintain small
routing tables.

Routing within an area is referred to as Level 1 routing.

Routing between areas is referred to as Level 2 routing.
Discovering Neighbors



Constructing the network topology

Each IS floods LSPs to its neighbors and also transmits LSPs of others.

Each IS deduces the topology of its own area using the LSPs it receives.
Building the routing table


Each intermediate system (e.g. router) sends hello messages to its neighbors
periodically.
Uses Dijkstra's algorithm in order to find shortest paths to all destinations.
Forwarding packets

Looks up in the routing table for the next hop for each destination.
Goals



Applying known OSPF attacks on IS-IS.
Finding new weaknesses of IS-IS for
possible attacks.
Implementing the attacks on GNS3/Cisco.
Applying Known Attacks
Max Sequence Number Attack
The attacker will send a fake LSP on behalf of other
router with seq. number of SequenceModulus. The
victim will try to activate the “fight-back” mechanism but
it needs to wait MaxAge+ZeroAgeLifetime seconds
(≈ 21 minutes) before sending a new LSP with S.N = 1.
During this period, the fake LSP will be flooded and
accepted among the routers.
In OSPF, the attack was possible only in certain
implementations.
Applying Known Attacks
Additional known attacks were also adjusted to the IS-IS
protocol. The final report includes more specific details
about the modification needed for both these attacks
and the presented one.
We believe that all known OSPF attacks are also
applicable on IS-IS. The adjustments are usually minor
and almost trivial.
New IS-IS Weaknesses
Partition Repair Mechanism
Faking an Area Partitioning



In this attack we exploit a weakness in the “partition
repair” mechanism in order to cause other routers to favor
transmitting more packets through the attacker.
The attacker will activate the “partition repair” by
sending a L2 LSP, marking itself as “Partition Designated
L2 IS” (PDIS) in addition to the already existing PDIS of
their common L1 area.
The ‘real’ PDIS will receive the attacker’s packet and will
establish a virtual link to fix a partition that is actually a
fake.
Faking an Area Partitioning - Continue


The attacker will attach a cost of 0 to this virtual link
in his L1 LSPs advertisements for the more routers to
choose routing via him.
The result: the attacker will become a preferred
passage for more routing paths allowing him to
eavesdrop, manipulate or discard more packets.
Faking an Area Partitioning - Continue
Traffic from B to C will be routed through the attacker after
the virtual link establishment because it created a shorter path
than before.
B
C
virtual link through L2
Discovering L1 Network Topology



In this attack, a L2 attacker will be able to attain a
full topology image of each one of the L1 areas.
Similarly to the previous attack, the attacker will
establish a virtual link with the PDIS of another L1
area in the network, causing it to believe that the
attacker is a partitioned part of its area.
This is possible by sending a L2 LSP that contains the
area address of the victim, marking the attacker as a
PDIS.
Discovering L1 Network Topology – Cont.


The attacker only needs to wait for L1 LSPs of the L1
routers of the attacked area to be sent over the
virtual link.
It is possible to attack every area in the network in
order to get a complete image of the whole network.
Discovering L1 Network Topology – Cont.
virtual link
through L2
Attacks Implementation
Attacks Implementation



Cisco IOS doesn’t support virtual links. Thus, we were
unable to implement and test our new attacks.
Therefore, we were asked to implement two known
attacks: Disrupting Adjacencies and Disguised LSP.
We used the following tools :
 GNS3 with Cisco IOS for 7200 platform.
 Wireshark - a network protocol analyzer.
 Scapy - a packet manipulation program.
Our Topology
Attacker
172.16.2.0
172.16.5.0
172.16.1.0
172.16.4.0
172.16.3.0
Disrupting Adjacencies



Neighbors relationship in IS-IS is 2-sided. Hence, a
link is fully established only if one finds its identity
in his neighbor’s neighbors list.
The attacker periodically inject Hello PDUs on
behalf of other router with an empty neighbors list.
The victims will then change the status of the link
with that router from “Up” to “Initializing”.
Disrupting Adjacencies




R1 injects fake empty ‘Hello’s on behalf of R2.
R3 and R4 change their link status with R2 to “Initializing”.
R3 and R4 then remove R2 from their new LSPs.
The path from R6 to R2 through R3 is no longer available.
Attacker
172.16.5.0
Disrupting Adjacencies

Neighbors list and LSP of R3 before the attack:
System Id
R1
R2
R4
R6

Interface
Et1/0
Et1/0
Et1/0
Et1/1
State
Up
Up
Up
Up
Type
L1
L1
L1
L1
Neighbors list and LSP of R3 during the attack:
System Id
R1
R2
R4
R6
Interface
Et1/0
Et1/0
Et1/0
Et1/1
State
Up
Init
Up
Up
Type
L1
L1
L1
L1
Disrupting Adjacencies

Running ‘show isis topology’ on router R4 shows us
that the routing distance from R4 to R2 got longer
to 4 hops.
Before
Attacker
After
Attacker
172.16.5.0
Disguised LSP

Two LSPs will be
considered equal if
they have the same
sequence number,
checksum and ~age,
regardless of their
contents.
The disguised LSP
will be invalidated
after ~21 minutes.
Ref. Persistent OSPF Attacks
Alex Kirshon, Dima Gonikman and Dr. Gabi Nakibly
Disguised LSP – Sequence of Events
Attacker sent Trigger LSP
Trigger &
received at
Disguised LSPs R3 and R4.
on behalf of R8.
Disguised LSP
received at R3
and R4.
Trigger LSP
received at
R8.
"Fight back"
sent from
R8.
Disguised
LSP received
at R8.
R7 ignored the
fight back due to
an early disguised
LSP.
Time
876.117
876.220
892.456
892.519
892.520
Attacker
172.16.2.0
172.16.5.0
172.16.1.0
172.16.4.0
172.16.3.0
Disguised LSP

Before the attack, R4 knows ways to R8 through R2 and R3:
IS-IS TID 0 paths to level-1 routers
System Id
Metric
Next-Hop
R1
10
R1
R2
10
R2
R3
10
R3
R4
-R5
20
R2
R6
20
R3
R7
30
R2
R3
R8
40
R2
R3
Interface
Et1/0
Et1/0
Et1/0
SNPA
ca04.10ec.001c
ca05.10ec.001c
ca07.11d0.001c
Et1/0
Et1/0
Et1/0
Et1/0
Et1/0
Et1/0
ca05.10ec.001c
ca07.11d0.001c
ca05.10ec.001c
ca07.11d0.001c
ca05.10ec.001c
ca07.11d0.001c
Disguised LSP

After the attack, R4 doesn’t know even a single way to R8:
IS-IS TID 0 paths to level-1 routers
System Id
Metric
Next-Hop
R1
10
R1
R2
10
R2
R3
10
R3
R4
-R5
20
R2
R6
20
R3
R7
30
R2
R3
R8
**
Interface
Et1/0
Et1/0
Et1/0
SNPA
ca04.10ec.001c
ca05.10ec.001c
ca07.11d0.001c
Et1/0
Et1/0
Et1/0
Et1/0
ca05.10ec.001c
ca07.11d0.001c
ca05.10ec.001c
ca07.11d0.001c
Disguised LSP


All routers, except R8, fell victim to the attack.
As consequence, the routing table of R7 also been changed:
IS-IS TID 0 paths to level-1 routers
System Id
Metric
Next-Hop
R1
30
R5
R6
R2
20
R5
R3
20
R6
R4
30
R5
R6
R5
10
R5
R6
10
R6
R7
-R8
**
Interface
Et1/0
Et1/0
Et1/0
Et1/0
Et1/0
Et1/0
Et1/0
Et1/0
SNPA
ca00.0260.001d
ca01.0260.001d
ca00.0260.001d
ca01.0260.001d
ca00.0260.001d
ca01.0260.001d
ca00.0260.001d
ca01.0260.001d
Disguised LSP

All routers, except R8, now believes that R8 doesn’t
exist.
Attacker
172.16.2.0
172.16.5.0
172.16.1.0
172.16.4.0
172.16.3.0
Disguised LSP

We used ‘show isis topology’ to inspect R4’s LSDB that
contains, among other things, the sequence number of the last
LSP that was received. Our seq. number can be seen on the last
line, proving our disguised LSP has been accepted.
IS-IS Level-1 Link State Database:
LSPID
LSP Seq Num
R1.00-00
0x00000008
R2.00-00
0x00000009
R2.02-00
0x00000003
R3.00-00
0x00000004
R3.01-00
0x00000005
R3.02-00
0x00000003
R4.00-00
* 0x00000007
R5.00-00
0x00000006
R6.00-00
0x00000006
R7.00-00
0x00000006
R7.01-00
0x00000002
R8.00-00
0x00000003
R8.01-00
0x000000A3
LSP Checksum
0x8458
0xB3E4
0x53DE
0x4F48
0x9BBD
0x72BC
0xD4FF
0xB6D2
0x295B
0x93E6
0xD861
0xF1CD
0x6F15
LSP Holdtime
989
998
1122
390
988
1063
944
608
1195
739
413
725
609
ATT/P/OL
0/0/0
0/0/0
0/0/0
0/0/0
0/0/0
0/0/0
0/0/0
0/0/0
0/0/0
0/0/0
0/0/0
0/0/0
0/0/0
Max Sequence Number Attack
R8>show isis database
IS-IS Level-1 Link State Database:
LSPID
LSP Seq Num LSP Checksum LSP Holdtime
ATT/P/OL
R1.00-00
0x00000007
0x8657
1118
0/0/0
R2.00-00
0x00000008
0xB5E3
855
0/0/0
R2.02-00
0x00000004
0x51DF
427
0/0/0
R3.00-00
0x00000007
0x494B
907
0/0/0
R3.01-00
0x00000005
0x9BBD
1025
0/0/0
R3.02-00
0x00000005
0x6EBE
1177
0/0/0
R4.00-00
0x00000007
0xD4FF
851
0/0/0
R5.00-00
0x00000007
0xB4D3
631
0/0/0
R6.00-00
0x00000007
0x275C
445
0/0/0
R7.00-00
0x0000000A
0x8BEA
1057
0/0/0
R7.01-00
0x00000005
0xD264
533
0/0/0
R8.00-00
* 0x00000004
0xEFCE
1055
0/0/0
R8.01-00
* 0x00000001
0xB472
1055
0/0/0
…
R8> %CLNS-4-LSP_MAXSEQ: ISIS: attempt to exceed LSP maximum sequence number for LSP
R8.01-00
…
R8> show isis database
Conclusions and Insights



We’ve succeeded to theoretically apply all known
OSPF attacks on IS-IS.
The adjustments that were done are trivial because
the weaknesses are inherent to the link-state
approach.
We predict that more attacks can be simulated
successfully on IS-IS with relative ease.