Re: Possible hi-jacking of ospf chain.

[Syv Ritch <syv () 911networks com>]

On Wed, 3 Jan 2007 20:46:08 -0800
"Xiaoyong Wu" <xiaoyong.wu () gmail com> wrote:

> I was involved in one of DARPA projects called JiNao which was an
> intrusion detection system for network architectures. There are
> several papers on this project that might be helpful.
> Here are some of them with some information regarding OSPF issues
> and attacks: http://citeseer.ist.psu.edu/jou00design.html
> http://citeseer.ist.psu.edu/387416.html

First you should always use MD5 as an encryption, instead of
plain-text. Now, in theory it's possible, but not easy or simple to
hijack OSPF. 

1. The routing table is ONLY local to the local router. In OSPF the
routing table is never sent across. The routing table is calculated by
each router according to it's LSA table that it has received from the
DR [designated router] or the BDR [backup designated router] if the
DR is down.

2. All routers establish a neighborship with the DR after the DR/BDR
election, [as long as you don't use Point-to-Point relationship].

To inject so called bad LSAs in real life [not in a lab], you will need:

A. Know the OSPF network design or if you intercept the packets, you
will have to reverse engineer the LSA table from the Designated
Router.

B. Create the fake LSA packets, send them to the DR. 

C. Let OSPF do the rest.

D. Every 30 minutes, resend the fake LSA packets. By default, OSPF
resend the whole LSA table every 30 minutes.

> Regards,
> -Xiaoyong
>
> On 1/3/07, Nikolaj <lorddoskias () gmail com> wrote:
> > dhess () na cokecce com wrote:
> > > With this password you could create an OSPF neighbor on the
> > > target network and pollute the route table in whatever fashion
> > > you wish... you could begin routing traffic through you to do
> > > packet capture and analysis or you could route traffic to a
> > > black hole, thereby creating a DOS. Best practice is to use MD5
> > > hashing for OSPF passwords.
> > >
> > > Dennis
> > >
> > >
> > >
> > > *Nikolaj <lorddoskias () gmail com>*
> > > Sent by: listbounce () securityfocus com
> > >
> > > 01/03/2007 06:07 AM
> > >
> > >
> > > To
> > >       pen-test () securityfocus com
> > > cc
> > >
> > > Subject
> > >       Possible hi-jacking of ospf chain.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Hello,
> > >
> > >
> > > Happy New Year to everyone, that's first. :)
> > >
> > > I'm observing the traffic flow in my network and I see some
> > > strange behavior with the OSPF packets. All of them contain
> > > plain-text password. I was wondering whether it was possible to
> > > join the OSPF chain and route  the traffic to /dev/null let's
> > > say and thus render the network traffic unavailable? Or what
> > > can be done with this password? It's in the OSPF LS Acknowledge
> > > and OSPF Hello packet.
> > >
> > > ------------------------------------------------------------------------
> > > This List Sponsored by: Cenzic
> > >
> > > Need to secure your web apps?
> > > Cenzic Hailstorm finds vulnerabilities fast.
> > > Click the link to buy it, try it or download Hailstorm for FREE.
> > >
> > > http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> > > ------------------------------------------------------------------------
> >
> > Very interesting. I'm talking about a network based on the
> > open-source package quagga. Can you give some links to paper that
> > describe possible attaks, or the best way is to download and
> > install quagga on my machine and start playing with the router
> > tables?
> >
> > Regards.
> >
> > ------------------------------------------------------------------------
> > This List Sponsored by: Cenzic
> >
> > Need to secure your web apps?
> > Cenzic Hailstorm finds vulnerabilities fast.
> > Click the link to buy it, try it or download Hailstorm for FREE.
> >
> > http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> > ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------


-- 
Thanks
http://www.911networks.com
When the network has to work

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------