Yes, Vulnerabilities do Exist in IP Routing! It’s Routing of Information!

Image result for routing pic

In the clear, IP Routing is the path taken for information to get from source to destination with the use of routing protocols.    Many don’t realize that these routing protocols are not always well-protected against deliberate or accidental propagation of incorrect routing information. They function with the implicit trust in both their peers and in the information they receive.  Neither trust is suited for the current Internet Environment (Badger, 1996).  With this in mind we have to consider that the process of routing information can deemed unsafe.  After careful research I was despondent to find the large supply of open vulnerability routers, especially with the selection of routers posing serious threats to the actual delivery of data and control plane packets.  In this article I give a small overview of the actions and mishaps of both external and internal routing devices.

▪Internal routers- are commonly used to keep subnet traffic separated.  In terms of attack types, DNS can be compromised and used to redirect the initial request for service, providing an opportunity to execute the man-in-the-middle attack.  This only takes place in the case that another router is at the other end.  As a manner of securing the internal router, these devices can use NAT (Network Address Translation) to improve security.  NAT uses an alternate public IP address to hide the network’s real IP address.  An attacker will have more difficulty identifying the layout of networks behind a firewall that uses NAT.

Second, internal routers always need to use an authority in the autonomous system to produce signed authorizations of the networks that a router would be able to announce (Badger, 1996).  This is in protection of the internal router’s habit of announcing nonexistent host routes. This is especially necessary for large amounts of nonexistent host routes.

▪Autonomous System Boundary Routers- seem to be total opposite from internal routers in operation since they tend to make the announcement of nonexistent host routes to the other external end.   Internal routers have digital signature protection but ASBR’s don’t.   When dealing with external routers, every piece of routing information that is dealing with outside routes, forged or real, that is introduced in the domain cannot be verified and it is propagated to all OSPF areas of the domain that are not configured as stub areas (Jones, 2003).

Whether external or internal both types present risk to vulnerabilities.  Routing information that incorrectly reports OSPF areas, or any other portion of the domain, as unreachable will deny services to all hosts connected to or exchange traffic with said areas.  This practice opens the system up to network congestion, looping, eavesdropping, and overloading to name just a few effects.  These practices of announcing nonexistent host routes tend to open the network up to man-in-the-middle, message deletion, message modification, and denial of service attacks.

Typically, what is used to address this vulnerability is simple password or cryptographic authentication methods.  When using simple password authentication, the header is used to carry a plain text on each OSPF message.  However, the downside to this approach is that no field of the IP header is protected by MAC available when cryptographic authentication is enabled.

Finally, understand that securing OSPF depends on how well it is configured and managed.  To mitigate the risk managers should employ a method of “manual stops.”  “A manual stop event causes the OSPF router to bring down all its adjacencies, release all associated OSPF resources, and delete all associated routes (Jones, 2003).

-Dominique Briscoe, M.S.C.T.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s