Black Hat OSPF Vulerabilities

August 31st, 2011

This year at Black Hat, some researchers presented some new ways to inject routes into an OSPF network. I will not go into much technical detail on how they were able to do so but at the very beginning of the talk they made it clear that these methods assumed that the attacker already had the md5 authentication key. After the talk was over, I talked to multiple people about it and was completely surprised at how all of them were brushing it off or playing it down. From just the arguments against the talk, I can conclude that

  • If administrators are not using an authentication key then there are other serious problems
  • A simple authentication password is sufficient enough to stop attackers
  • We haven’t seen it used in the wild so we don’t need to worry

I think that is total and utter bullshit and here is why.

If administrators are not using an authentication key then there are other serious problems:
I am not going to disagree with that at all. It is super easy to turn on the authentication key and there should be no excuse for any semi-competent network administrator to not have done so but we can not assume that, because not everyone has. I can say specifically from my experience in the Network Technical Support realm, 9.8 times out of 10, when walking someone through setting up OSPF on their device, they specifically tell me to not set up an authentication key and enable OSPF on all interfaces. This could be because they want to see it working with the path of least resistance all the way to they don’t think authentication was necessary. Also, every time I went to troubleshoot an OSPF network, I not once saw it enabled. Please keep in mind that I have worked with some very LARGE companies with big teams dedicated to administrating their network and securing it.

A simple authentication password is sufficient enough to stop attackers:
I spoke with one friend who specifically stated “I got up and left once they said they assumed you already had the key.” With all the preaching about how it is so easy to abuse passwords and how we need a better system because passwords suck, I would have expected to hear a different response because thats all the authentication key is, a password. We have been cracking passwords for a long long time now and there has even been a very successful contest at Defcon the past few years aimed at cracking as many passwords as you can in 3 days. You will be amazed to see how many passwords they crack every year. In essence, it isn’t hard to crack a password these days. If you throw a team of Nvidia GPU’s at the problem, it can be solved in no time. Also, don’t forget about the speed of using rainbow tables. Oh, and there are also web based services revolving around cracking passwords. If there were not already a plethora of options for cracking passwords, here is a shot of me brute forcing an OSPF authentication key with loki

And since I am doing this just to prove a point and don’t want to wait for the brute force to complete, here is a shot of me successfully getting the authentication key via a wordlist

We haven’t seen it used in the wild so we don’t need to worry:
Out of any of the responses I have heard, this is the most absurd. I don’t feel I should have to say this to anyone involved in the Security Community but here it goes anyway.

Just because you haven’t seen it does not mean it is not currently or will never be exploited.

If I have to explain this then please give up reading anything else I have to say for the rest of time.



I think this is a very viable attack method that everyone else has been discrediting and playing down when they shouldn’t be.

); ?