Re: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)

Gabi Nakibly <gnakibly@yahoo.com> Mon, 05 August 2013 21:04 UTC

Return-Path: <gnakibly@yahoo.com>
X-Original-To: ospf@ietfa.amsl.com
Delivered-To: ospf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DA1321F9EE5 for <ospf@ietfa.amsl.com>; Mon, 5 Aug 2013 14:04:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HWQuJnWnNg8H for <ospf@ietfa.amsl.com>; Mon, 5 Aug 2013 14:03:57 -0700 (PDT)
Received: from nm43-vm7.bullet.mail.bf1.yahoo.com (nm43-vm7.bullet.mail.bf1.yahoo.com [216.109.114.238]) by ietfa.amsl.com (Postfix) with ESMTP id 70ED321F9F7A for <ospf@ietf.org>; Mon, 5 Aug 2013 14:03:57 -0700 (PDT)
Received: from [98.139.212.148] by nm43.bullet.mail.bf1.yahoo.com with NNFMP; 05 Aug 2013 21:03:55 -0000
Received: from [98.139.212.215] by tm5.bullet.mail.bf1.yahoo.com with NNFMP; 05 Aug 2013 21:03:55 -0000
Received: from [127.0.0.1] by omp1024.mail.bf1.yahoo.com with NNFMP; 05 Aug 2013 21:03:55 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 829709.74858.bm@omp1024.mail.bf1.yahoo.com
Received: (qmail 16690 invoked by uid 60001); 5 Aug 2013 21:03:55 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1375736635; bh=lNR8G5rUttJErlagncX2noAM0E/5Jm84LiPVSxB+4ts=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=MoGcGKaBpmfl4298t2iuCIUERqpEbei+OWvQ4O8fgAKx6v+7kGWj3PlmmZyb0DVjgHpPWFNyZa1Y8b1WIFxdGqzjO2SE7r9xgplUMC+EJYFGi7yoY5+njoGZC5naAFbzoB/aJZx6YrMVZiwMJjTG8tJDuczHZQFY/jsgXz6DwUM=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=ijfFxOyPb9+6nO9O6ke2U+9kfgSSRrAP1qtD7hPirqFWzra2ZNs45ITr7Et6Xn9LPbtzX+M9++7TiY6KZJAy6hOjlaFbreL6eKAZumbj/iOKb/lkEQjVMV0ggQ1CkxlDxkkOG5KJE7ZDrmun47vJcu93rrr+g1J2C/uUOS8RoxA=;
X-YMail-OSG: uPY6zmEVM1mb7fSZ1395TIu3nKP5D_rrbtkrR719AFghlL4 45bP8v0noWZaa3aSIiWZFZ5B5gQJj9pXkFyMqWUHbpFjdyQ0ccB5.D7I_7ku HMUWYI_zEbRSQlp_blIgY_bFZiA_Rde4w3Bk8q8406JAlAxUxpmv0kkt0Yrx mZDB1PT2FAHqBIS5a5zjEtQVrqW6.yQYgvffcnW7hYbq2mSoDz3.iUhAlUAX d9GHA7O97ReTi7MQclMoIXOx9oZeEyEdfy1FQv8Hf0HjlKjJRWBHqAY0pGgr RoW6a63l3nopa_s.1zRQLbT3KOCUYtyy04LWMBVNQE4fGcAwWlE6yWkchzkB Icf8WNT8G5BovgImDZJw_G37u0zHCidz0.SNOyy3ncgPYD4WUnakKqqSFtmR fvtpypARNN.OPewDWN7XTxBgsjDvnPtiWeS2MecZ1_57Kf2w2qOL_6Fi0YJ1 ClVkEEYVVRnV1GakdpZ8av3NRn._e.8T0BQ2gNJv0OYeutsE.Y0f6oNkZZS9 I6jUpKRf82sqdbcV9DNb_Q0IQh3neFmabl.VMlkGq9L5SaD8OnSJjI64sw1t xH_iMVPEAQHy4dtjSAbzdi0nIFGhQit4DKo4ZC6A9WSjHLuFJ_wlOELFPtMp ze8_zq1pcntrAmYoIP_VtJjvjtdmcNjbadT.av3wXfY4Z7oxu9BCxDZ0.4tV Zlq25sfqBg_zC.yOX_47YGBqUBc137Za36km47wSQtl9TCoaGYTfx9qHCg4C fTdas4AOv.Ra2xHA6VFCzFQ.G.APctayUDhP_YKmlUsh.maJmkiElWLyunnh wg8z6U1rYM2XwkzBs7pGbyRnMCcFXcQ--
Received: from [85.64.247.76] by web165005.mail.bf1.yahoo.com via HTTP; Mon, 05 Aug 2013 14:03:55 PDT
X-Rocket-MIMEInfo: 002.001, SGkgYWxsLApNeSBuYW1lIGlzIEdhYmkuIEkgYW0gdGhlIHJlc2VhcmNoZXIgd2hvIHByZXNlbnRlZCB0aGUgbmV3IGF0dGFjayBhdCBCbGFjayBIYXQgbGFzdCB3ZWVrLiBJIGhhdmUgbm90aWNlZCB0aGUgZGlzY3Vzc2lvbiBvbiB0aGUgbGlzdCBhbmQgSSB3b3VsZCBiZSBoYXBweSB0byB0cnkgdG8gY2xhcmlmeSBob3cgdGhlIGF0dGFjayBpcyBkaWZmZXJlbnQgZnJvbSBrbm93biBvbmVzLsKgCkluZGVlZCB0aGUgYXR0YWNrIGFzc3VtZXMgdGhhdCB0aGUgYXR0YWNrZXIgaXMgYW4gaW5zaWRlciwgbWVhbmkBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.152.567
References: <20130804130603.GV67612@jupiter.n2.diac24.net> <94A203EA12AECE4BA92D42DBFFE0AE4702FE6F29@eusaamb101.ericsson.se>
Message-ID: <1375736635.93585.YahooMailNeo@web165005.mail.bf1.yahoo.com>
Date: Mon, 5 Aug 2013 14:03:55 -0700 (PDT)
From: Gabi Nakibly <gnakibly@yahoo.com>
To: Acee Lindem <acee.lindem@ericsson.com>, David Lamparter <equinox@diac24.net>, Glen Kent <glen.kent@gmail.com>
In-Reply-To: <94A203EA12AECE4BA92D42DBFFE0AE4702FE6F29@eusaamb101.ericsson.se>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: "ospf@ietf.org" <ospf@ietf.org>
Subject: Re: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Gabi Nakibly <gnakibly@yahoo.com>
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Aug 2013 21:04:02 -0000

Hi all,
My name is Gabi. I am the researcher who presented the new attack at Black Hat last week. I have noticed the discussion on the list and I would be happy to try to clarify how the attack is different from known ones. 
Indeed the attack assumes that the attacker is an insider, meaning that the attacker has already gained control of one of the router within the AS. I agree 100% that once an attacker is an insider he can already do all sorts of attacks that can harm the network and indeed a few past works have already reported on this. Nonetheless,  the crux of the new attack, as Acee has already pointed out, is that an attacker is now able to falsify an LSA on behalf of another router while evading the fight-back mechanism. This new capability allows an attacker to *persistently* and *stealthily* subvert the LSA DB of other routers that install the false LSA and thereby altering their routing tables. This gives rise to a new class of attacks that in my opinion have not existed before and, in many times, are more desirable for an attacker (due to their stealth and persistence).
To my best knowledge, no other general technique to stealthily evade fight back is known. The only general attack technique to evade fight back is periodic injection (flooding false LSAs at a rate higher thanone every MinLSInterval)  presented in http://tools.ietf.org/id/draft-ietf-rpsec-ospf-vuln-02.txt in Section 4.1.3.1. However,  using such technique the attack is hardly stealthy.

BTW, I have also presented in the past another general technique to evade fight back called 'Disguised LSA'. It is described in https://www.cs.technion.ac.il/people/gnakibly/online-publications/PersistentOSPF.pdf in Section 4.2.

I would appreciate your continued feedback on the new attack.

Thanks,
Gabi

>________________________________
> From: Acee Lindem <acee.lindem@ericsson.com>
>To: David Lamparter <equinox@diac24.net>et>; Glen Kent <glen.kent@gmail.com> 
>Cc: "ospf@ietf.org" <ospf@ietf.org> 
>Sent: Monday, August 5, 2013 5:28 AM
>Subject: Re: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)
> 
>
>
>
>On 8/4/13 6:06 AM, "David Lamparter" <equinox@diac24.net> wrote:
>
>>On Fri, Aug 02, 2013 at 10:11:01PM +0530, Glen Kent wrote:
>>> Does anybody have details on what this OSPF vulnerability is?
>>> 
>>> https://www.blackhat.com/us-13/briefings.html#Nakibly
>>
>>As people may have noticed by now (the embargo on providing details has
>>expired as the talk was presented), this issue consists of Router LSAs
>>where the Router ID is different from the Link State ID.  As such, this
>>attack is implementable from any router in an OSPF area against any
>>other router in the OSPF.
>>
>>(Quite honestly, IMHO this is seriously far fetched.  If your control
>>plane got compromised this far you have other problems.)
>
>I agree that once the OSPF control plane is open, you are susceptible to
>many attacks. However, this attack is a bit more insidious than most since
>the actual OSPF router corresponding to the link state ID will most likely
>not recognize the LSA as self-originated and re-originate a more recent
>version when the malformed one is received. Hence, the malicious LSA will
>remain in the routing domain and, depending upon the OSPF implementation,
>could result in traffic being redirected.
>
>>
>>While Quagga is unaffected by this, we've implemented a warning.  We're
>>also considering dropping the LSA outright, but I'm somewhat split on
>>that (tilted towards dropping).  I'd be interested if the WG has
>>comments on that?
>
>I can't speak for the WG but my implementation will skip the LSA in the
>Link-State Update packet.
>
>Thanks,
>Acee
>
>
>>
>>
>>-David
>>_______________________________________________
>>OSPF mailing list
>>OSPF@ietf.org
>>https://www.ietf.org/mailman/listinfo/ospf
>
>_______________________________________________
>OSPF mailing list
>OSPF@ietf.org
>https://www.ietf.org/mailman/listinfo/ospf
>
>
>