Gabi Nakibly (National EW Research and Simulation Center)
Wednesday, 11.1.2012, 11:30
Open Shortest Path First (OSPF) is the most popular interior gateway routing protocol on the Internet. Most known OSPF attacks that have been published in the past are based on falsifying the link state advertisement (LSA) of an attacker-controlled router. These attacks can only falsify a small portion of the routing domain's topology, hence their effect is usually limited. More powerful attacks are the ones that affect LSAs of other routers not controlled by the attacker. However, these attacks usually trigger the OSPF "fight-back" mechanism by the victim router which advertises a correcting LSA, making the attacks' effect non-persistent. In this work we present new OSPF attacks that exploit design vulnerabilities in the protocol specification. These new attacks can affect the LSAs of routers not controlled by the attacker while evading "fight-back". As a result, an attacker can persistently falsify large portions of the routing domain's topology viewed by other routers thereby giving the attacker control over their routing tables. We discuss a number of mitigation strategies and propose an update to the OSPF specification that defeats these attacks and improves OSPF security. The talk is based on results presented at Black Hat '11 and NDSS '12. This is a joint work with Alex Kirshon, Dima Gonikman and Dan Boneh.