OSPF vulnerability to persistent poisoning attacks: a systematic analysis

Open Shortest Path First (OSPF) is one of the most widely deployed interior gateway routing protocols on the Internet. The most common attack vector against OSPF is spoofing of routing advertisements on behalf of a remote router. OSPF employs a self-defense "fight-back" mechanism that quickly reverts the effects of such attacks. Nonetheless, some attacks that evade the fight-back mechanism have been discovered, making it possible to persistently falsify routing advertisements. This type of attacks are the most serious threat to a routing protocol since they allow an attacker to gain persistent control over how traffic is routed throughout the network. This shows that despite its maturity, the OSPF specification is not without security flaws and may have still-unknown vulnerabilities. In this work we systematically analyze -- manually and by formal verification -- the OSPF specification for additional vulnerabilities in the fight-back mechanism. Our analysis uncovered a fundamental security flaw in OSPF that allows a simple means for an attacker to evade the fight-back mechanism. Most major router vendors acknowledged the existence of this vulnerability in their products. Fortunately, our analysis strongly indicates that no other vulnerabilities in the fight-back mechanism are likely to exist.

[1]  Cisco IOS Router Exploitation , 2009 .

[2]  Gabi Nakibly,et al.  Finding Security Vulnerabilities in a Network Protocol Using Parameterized Systems , 2013, CAV.

[3]  Shyhtsun Felix Wu,et al.  JiNao: Design and Implementation of a Scalable Intrusion Detection System for the OSPF Routing Proto , 1999 .

[4]  Miroslav Svéda,et al.  A Formal Model for Network-Wide Security Analysis , 2008, 15th Annual IEEE International Conference and Workshop on the Engineering of Computer Based Systems (ecbs 2008).

[5]  Anna Philippou,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2018, Lecture Notes in Computer Science.

[6]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[7]  Edsger W. Dijkstra,et al.  A note on two problems in connexion with graphs , 1959, Numerische Mathematik.

[8]  Emanuele Jones,et al.  OSPF Security Vulnerabilities Analysis , 2006 .

[9]  Gabi Nakibly,et al.  Persistent OSPF Attacks , 2012, NDSS.

[10]  Michael Huth,et al.  Assume-Guarantee Model Checking of Software: A Comparative Case Study , 1999, SPIN.

[11]  John Moy,et al.  OSPF Version 2 , 1998, RFC.

[12]  Xiao-yan Shen Chinese Academy of Sciences , 2014, Nature.

[13]  Satish Chandra,et al.  Software model checking in practice: an industrial case study , 2002, Proceedings of the 24th International Conference on Software Engineering. ICSE 2002.

[14]  Shyhtsun Felix Wu,et al.  Secure Routing Protocols: Theory and Practice* , 2001 .

[15]  John Moy,et al.  OSPF for IPv6 , 1999, RFC.

[16]  Bernard Fortz,et al.  On the evaluation of the reliability of OSPF routing in IP networks , 2001 .