Attacks on Dynamic Routing Protocols

Attack ID:	CPSA-2004-03

Publish Date:

Last Update:

Category:	Attacks on Dynamic Routing Protocols

Vulnerable Systems:	Any device implementing a dynamic routing protocol.

Source:	SmartDefense Research Center

Description:	Dynamic routing protocols, of which RIP, OSPF and BGP are the most widely deployed, have been increasingly abused by malicious users over the past few years. In the absence of strong authentication enforcement verifying that routing information comes from the true peer router, a malicious user may spoof or modify valid routing protocol messages and corrupt or change routing tables of a network. This might result in redirection of some or all network traffic, connectivity problems, excessive bandwidth consumption and potential denial of service of both the router and the routing protocol.

Severity:

Details:	The Routing Information Protocol (RIP) is an interior gateway distance vector routing protocol. RIP can be spoofed by making fake RIP packets and sending them to gateways and hosts to change their routes. Attacks on the RIP protocol may target either vulnerabilities in the routing software/hardware used or attack the routing information of the network. The Open Shortest Path First (OSPF) is an interior link state routing protocol. Similarly to RIP, OSPF can also be easily spoofed and injected with malformed OSPF messages. Attacks on the OSPF protocol may target either vulnerability in the routing software/hardware used or attack the routing information of the network (for example, by malicious advertising routers). The Border Gateway Protocol (BGP) is designed to exchange network reachability information between peer nodes (peers are routers that communicate routes with each other). BGP is highly vulnerable to a variety of attacks due to the lack of means of verifying the authenticity and authorization of BGP traffic. Any outsider can inject believable BGP messages into the communication between BGP peers and thereby inject false routing information. Since BGP uses TCP as a transport protocol, outsider sources can also disrupt communications between BGP peers by breaking their TCP connection with spoofed RST packets. To prevent the spoofing or modification of a valid routing protocol message, message authentication has been added to all these protocols. All the above routing protocols support the MD5 digest. MD5 digest works by creating a 16-byte hash of the routing message combined with a secret key. The 16-byte value is, therefore, message-specific, and modification of the message by an attacker invalidates the 16-byte digest appended to the message. Without the secret key, which is never sent over the wire by the routing protocol, the attacker is unable to reconstruct a valid message.

Attack Detection:	Using SmartView Tracker, users of R55, R55W and InterSpect who have performed the SmartDefense Update and applied the protection as described below, will be able to identify attacks on routing protocols by the following record details: Users of R55W and InterSpect: Attacks on RIP Attack Name: RIP Enforcement Violation Attack Information (may vary): Non MD5-authenticated RIP protocol detected on connection RIP Protocol Version Is Not 2 Malformed MD5 RIP Protocol Detected on Connection Attacks on BGP Name: BGP Enforcement Violation Information: Non-MD5 authenticated BGP protocol detected on connection Attacks on OSPF Name: OSPF Enforcement Violation Attack Information (may vary): Non-MD5 authenticated OSPF protocol detected on connection OSPF protocol enforcement violation detected on connection Users of R55: Users of R55 will identify the following rule numbers on the log viewer: OSPF - rule 9989 BGP - rule 99179 RIP - rule 99520.

Solution:	To block routing protocols-based attacks, Check Point has added a protection designed to verify that all traffic is MD5-authenticated (all protocols) and that all packet headers are valid (RIP, OSPF). This new SmartDefense protection has been added to VPN-1 NG with Application Intelligence R55, R55W and InterSpect. By applying this protection, SmartDefense will enforce the packet header validity advertised by OSPF and RIP, including protocol version, message type and packet length. This protection will also enforce MD5 routing authentication on all protocols and will detect and block other authentication mechanisms that are considered insecure (e.g plaintext password authentication). Users of VPN-1 NG with Application Intelligence R55, R55W and InterSpect should update their SmartDefense by pressing the Update Now button in the SmartDefense General window. To enable the Routing Protocols protection: On the SmartDefense navigation tree, click Application Intelligence > Routing Protocols and mark the routing protocols of your choice. This usually depends on the protocols your organization is using to communicating routing information. Note that all protocols are provided with a Monitor Only option that enables logging without dropping any traffic. RIP window Routing Information Protocol (RIP) version 1 has no mechanism whatsoever to authenticate routing messages. It is therefore recommended to use RIP v2 that supports MD5 authentication. Enabling the RIP protection alone will enable the packet header inspection only. Enabling it WITH the MD5 check would verify MD5 authentication. OSPF Window Enabling the OSPF protection alone will enable the packet header inspection only. Enabling it WITH the MD5 check would verify MD5 authentication. BGP window Checking the BGP checkbox enables the protection.

Industry Reference:	BGP: CVE-2001-0650 CAN-2004-0589 CAN-2004-0230 RIP: CVE-1999-0111 OSPF: CAN-2003-0100

Additional Information:	US-CERT: VU#784540