Owning the Routing Table. Part II

Gabi Nakibly, Eitan Menahem, Ariel Waizel, Yuval Elovici

Black Hat, 2013

Open Shortest Path First (OSPF) is the most popular interior gateway routing protocol on the Internet. Most known OSPF attacks are based on falsifying link state advertisements (LSA) of an attacker-controlled router. These attacks may create serious damage if the attacker-controlled router is strategically located in the autonomous system (AS) topology. However, these attacks can only falsify a small portion of the routing domain’s topology; hence their effect is usually limited. More powerful attacks are the ones that affect LSAs of other routers not controlled by the attacker. However, these attacks usually trigger the“fight-back” mechanism by the victim router–the router on behalf of which the attacker advertises the false LSA–which advertises a correcting LSA, making the attacks’ effect non-persistent. At Black Hat USA 2011 [BH11] and NDSS 2012 [NDSS12] we presented the first known attacks that allow an attacker to persistently falsify an LSA on behalf of a router it does not control, while evading the” fight-back” mechanism. These attacks allow to persistently poison the routing domain with false topology information.As a sequel to that work we now push the envelope further and present an even more powerful OSPF attack that exploit a newly discovered ambiguity of the OSPF standard [RFC2328]. As the attack is launched against a victim Cisco router not only that victim does not fight back but its routing table is completely erased, effectively excluding it from the routing domain.