Router alert! My router has been hacked

By Tim Greene, Network World
August 04, 2011 10:40 AM ET

LAS VEGAS — A researcher at Black Hat has revealed a vulnerability in the most common corporate router protocol that puts networks using it at risk of attacks that compromise data streams, falsify network topography and create crippling router loops.

The problem is serious not only because of the damage an attacker might do but also because the protocol, OSPF, is used so pervasively that many networks are vulnerable. Open Shortest Path First (OSPF) is the most popular routing protocol used within the roughly 35,000 autonomous systems into which the Internet is divided.
Typically large corporations, universities and ISPs run autonomous systems.
The only remedies are using another protocol such as RIP or IS-IS or changing OSPF to close the vulnerability, says Gabi Nakibly, a researcher at Israel’s Electronic Warfare Research and Simulation Center, who discovered the problem.
Nakibly says he has successfully carried out an exploit against the vulnerability on a Cisco 7200 router running software version IOS 15.0(1)M, but that the exploit would be equally effective against any router that is compliant with the OSPF specification. He says he chose a Cisco router to underscore the extent of the problem, since Cisco dominates the router market.
The flaw lies in the OSPF protocol itself which allows uncompromised routers to be tricked into propagating false router-table updates known as link state advertisements or LSAs. The attack is such that the false tables persist over time.
The false tables can be crafted to create router loops, send certain traffic to particular destinations or snarl a network by making victim routers send traffic along routes that don’t exist in the actual network topology, he says.
The attack requires that one router on the network is compromised.”[T]he true novelty of the attacks are their ability to falsify the routing advertisements of other  routers which are not controlled by the attacker while still not triggering the fight-back mechanism by those routers,” Nakibly says in an email.
He and his team initiated the attack from a phantom router connected to their test network – in this case a laptop.
The phantom router sends to the victim router a spoofed LSA that appears to be the last one the victim router sent out. The spoofed LSA is accepted as legitimate because it has been crafted to have the appropriate LSA sequence number, checksum and age – the three things OSPF checks to determine the legitimacy of LSAs.
At the same time the phantom sends to a second router on the network an LSA that looks like it came from the victim router. The LSA is tagged with the sequence number that will be assigned to the next LSA that the victim router sends out.
Meanwhile, the victim router rejects the spoofed LSA from the phantom router and sends out a fight-back LSA, which is a copy of its last legitimate LSA.
When the fight-back LSA reaches the second router, it appears identical to the disguised LSA the second router just received from the phantom router. This is because the fight-back LSA and the disguised LSA have identical sequence numbers, check sums and age.

Author: Gilbert Tan TS

IT expert with more than 20 years experience in Multiple OS, Security, Data & Internet , Interests include AI and Big Data, Internet and multimedia. An experienced Real Estate agent, Insurance agent, and a Futures trader. I am capable of finding any answers in the world you want as long as there are reports available online for me to do my own research to bring you closest to all the unsolved mysteries in this world, because I can find all the paths to the Truth, and what the Future holds. All I need is to observe, test and probe to research on anything I want, what you need to do will take months to achieve, all I need is a few hours.​

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.