思维之海

——在云端,寻找我的星匙。

阅《Persistent OSPF Attacks》

Open Shortest Path First (OSPF) 协议,是互联网上当今最广泛使用的内部网关路由协议。与之对应的BGP协议,则是在外部网络之间中使用最频繁的协议。

本篇论文中提出了两种全新的对OSPF的攻击,揭示了OSPF协议在设计上的缺陷。这些新的攻击方式可以在改变路由上不被攻击者控制的路由选择时,保护攻击者不受到所谓的OSPF的“fight-back”自卫机制的困扰。

通过发现的漏洞,攻击者可以长时间地伪造大量路由拓扑信息,从而间接地控制网络内部的流量。最终可能会引起包括DoS(denial of service),窃听(eavesdropping),中间人攻击(man in the middle attacks)等后续攻击。

最后文章讨论一些减轻攻击影响的策略,并提供了一个对OSPF协议的更新补丁来增强OSPF的总体安全性。

本篇论文源于高等计算机网络课程的阅读任务,领域为“路由协议安全 ”。

References

Persistent OSPF Attacks

The paper is organized as follows. Section 2 gives a brief overview of the OSPF specification and principal functionality. Section 3 reviews known attacks that exploit design vulnerabilities of OSPF. Section 4 presents the new found attacks. Section 5 evaluates the power of attacks and their effects on real-world AS topologies. Section 6 proposes mitigation measures and Section 7 concludes the paper.

Intro

RIP与OSPF协议详细对比

OSPF协议使路由器可以在一个自治系统中维护它们各自的路由表,并且能够动态地适应该自治系统中网络拓扑的变化。OSPF协议是一种链路状态协议,每个路由器都向整个网络广播它的邻居的拓扑状态,最后每个节点都获知整个网络的拓扑结构(保存成路由表),然后进行最优路径求解(Dijkstra算法)。

如下图所示,Rb路由器向整个网络广播了它的邻居拓扑。这样的一次在自治系统内的广播被称为LSA(Link State Advertisements)。




基本假设:(LSA伪造技术

As in most previously published OSPF attacks we assume the attacker has the ability to send LSAs to routers in the routing domain and that routers process them as valid LSAs.

DoS denial of service

DoS: the attacker’s goal is to degrade the network’s ability to forward traffic with a desirable quality of service.

The attacker can do so using one of the following strategies:

  1. 链路过载 Link overload – Diverting large volume of traffic thorough a limited capacity link.
  2. 链路过长 Long routes – Diverting traffic over unnecessarily long routes while wasting network resources.
  3. 伪造断连 Delivery failure – Making some portion of the network mistakenly believe that it is disconnected from the AS.
  4. 路由循环 Routing loops – Routing traffic in loops between two or more routers while consuming network resources before being dropped.
  5. 波动路由 Churn – Changing traffic routes rapidly while resulting in a network instability and performance degradation of congestion control mechanisms (e.g. TCP).

窃听 Eavesdropping

Eavesdropping: the attacker can divert remote traffic to pass through a router or a network the attacker has access to thereby letting the attacker eavesdrop on the traffic.

中间人攻击 man-in-the-middle and impersonation attacks

Traffic diversion may also facilitate man-in-the-middle and impersonation attacks.

跟窃听一个原理。

OSPF Basis

除了之前介绍的之后,LSA泛洪广播还是周期性的,每30分钟广播一次,以保证维持最新的自治系统的拓扑结构。

为了保证LSA的版本管理,每一个LSA都会携带一个sequence number,用来区分新旧。节点总是接受最新的LSA——序列号更高的那个。

adjacency: After mutual discovery two neighboring routers may set up a special relationship called adjacency.

To alleviate memory and processing load an adjacency is set up only when one of the two peers acts
as a designated router.

The purpose of a setting up an adjacency is to make sure that the two routers have identical copies of the LSA database.

Fight-back: Once a router receives an instance of its own LSA which is newer than the last instance it originated, it immediately advertises a newer instance of the LSA which cancels out the false one.

Previous Attacks

最常规的attack往往是基于攻击者完全控制的一些路由开展的,在这种情况下伪造LSA不会产生Fight-back。所有的发送到这些路由的信息都将可以被推流给attacker。

另一种是基于没有控制的路由展开的,这种情况会引起Fight-back。但是这样至少可以使得自治系统本身变得unstable。只是,这样的攻击是无法持久化的,也不够隐蔽(易导致attacker的暴露);它并不能有效地误导路由器在整个AS拓扑上的视野。

Jones提出了一种对抗Fight-back机制的方法,利用OSPF中的漏洞,可以让受攻击的路由收到一个新的伪造LSA时,不发送更新的LSA。

还有一种是用幽灵路由(phantom router,伪造不存在的路由)发送LSA,这种方式不会触发Fight-back,但是也不会影响路由表(因为bidirectional links机制的保证),但是它可以让路由器的LSA database过载,从而变成一种有效的攻击。

New Attacks

Remote False Adjacency

攻击者通过构造虚假的Hello和DBD消息,让victim路由器误以为真,和一个幽灵路由形成了adjacency关系。

攻击者伪造了一个合法的对应子网的IP地址,作为消息头的源IP。

the source IP address is always set to the address of the phantom router, a fictitious address in the subnet of the victim’s local network.

在建立了一个伪造的adjacency之后,attacker可以通过伪造幽灵路由的LSA来满足bidirectional links条件,从而混入到真正的路由表中。

幽灵路由可以放置任何部分,因此在一个子网中放置若干个幽灵路由就可以吸收掉所有通向另一个指定网络的流量,变成”流量黑洞“。如下图(a)所示。

如果这个幽灵路由刚好形成了一个对于大多数流量来说的捷径路由,那么危害将会更大。如下图(b)所示,在两个独立的子网上分别伪造幽灵路由,从而吸收掉它们之间的所有网间流量。

Caveats and Assumptions

  • The false Hello and DBD messages are remotely unicasted directly to the victim. Therefore, the attacker must know the secret authentication key of the victim’s local network.
    • 大多数情况下成立,但是这种成立对网络来说并不是必须的
  • The adjacency must be continuously maintained by sending a Hello message every time interval defined by the victim’s RouterDeadInterval parameter.
    • If the victim does not receive a Hello message within that time interval it will tear down
      the adjacency.
  • The victim floods LSAs to the phantom and expects to receive LSA acknowledgments in return.
    • the attacker can spoof the acknowledgment messages

Disguised LSA

在OSPF协议中规定了如何区分LSA:

  • Sequence Number
  • Checksum
  • Age

当以上三者均相同时,则视为同一个LSA。

在实际操作中,Age的minor difference(< 15 minutes)被视为近似等同。

The key point is that the spec considers these two LSAs to be the same even if the actual advertised links in the LSAs differ.

Disguised LSA: A naive exploitation of this feature is to advertise an LSA with false links on behalf of a victim router while having the same values of the above three fields as the valid LSA advertised by the victim.

当路由器收到Disguised LSA不会引发fight-back,因为这被认为是一个它之前发送的LSA的identical copy。但是,不幸的是,所有的其它路由器都会将这个视为一个已经接收过的LSA,从而不会将它纳入它们的LSA database。所以其实到目前为止,没啥用。

一个更好的举措是在发送路由器刚刚完成发送,并且在那些路由器收到真正的LSA之前,将伪造的LSA发送给它们。这样,Disguised LSA便可以替换掉真正的LSA,并被其他路由器植入LSA database。

因此,时机很重要

下图(a)展示了一个实例,也说明了Disguised LSA在实际应用中的限制——因为时间约束的关系,它只能影响一小部分节点。

另一个种方式如下图(b),通过遥测/控制下一个LSA的产生时间,攻击者可以抢先发送Disguised LSA,从而影响到更多的节点。并且,通过有意地触发fight-back机制,攻击者实际上可以精准控制真LSA的产生时间。

Just before sending the disguised LSA the attacker floods a false LSA which is not disguised.

Disguised LSA还面临三个变量:Sequence Number,Checksum,Age的设置问题。万幸的是,这些变量在实际操作中都是可以准确预测的。

Mitigation Measures

首先,Remote false adjacency和Disguised LSA揭示现存网络系统的一些缺陷。

Disguised LSA:

  1. a router considers two LSAs to be identical even if their contents is not, and
  2. the entire contents of a future LSA is predictable.

Remote false adjacency:

  1. same secret key used for integrity on all links, and
  2. the master can complete the adjacency protocol without seeing any of the slave’s messages.

兼容协议的措施

Disguised LSA:

  • mitigate the predictability vulnerability by adding to valid LSAs a dummy advertised link with random values.

Remote false adjacency:

  • the AS ensures that different links use independent secret keys for packet integrity and the secret key is known only to routers on the link.
    • 现实中很难操作,因为必须要额外设计对于密钥的管理系统
  • routers can employ anti source-IP spoofing measures on OSPF packets.
    • These measures could potentially be extended – at some cost – to all links on the AS. This will prevent the spoofed Hello and DBD messages from reaching the victim.

改进协议的措施(后向兼容)

Disguised LSA:

  • To address the core weakness we propose to extend the LSA database by also storing a cryptographic hash (e.g. SHA-256) of the installed LSA. (excluding the Age field)
    • 利用哈希指纹来二次确认两个LSA是否完全一样
    • If the hashes are also equal the two LSAs are considered identical. If they are different, the LSA which was last received is considered newer.

Remote false adjacency:

  • Once the slave receives a DBD message from the master it would send its next DBD message with probability p…
    • 引入概率工具

总结和展望

本文展示了两种新的OSPF攻击方法:

  • remote false adjacency
  • disguised LSA

并且,在广泛部署的路由器以及真实的AS拓扑结构上进行了一系列实验,两种攻击方式表现出了优越的性能。

为了遏制这两种攻击,作者又提供了多种对抗措施,使得经过改造的路由器可以抵抗这些攻击。其中一些防御手段则可能需要对OSPF协议进行一些小的更新。

以往发现的攻击方式和本文中新发现的攻击方式,都在暗示着一个缜密的安全分析工具非常必要。这也被作者当作了future work的点。靠运气和排查来发现新的漏洞,固然是非常有价值的,这样的工作显示了科研人员的经验水平和坚强意志,但总归不是一个全面、彻底的解决方案;我们需要一个更好的高度自动的漏洞检测机制。