In the previous chapter, we learned about wireless encryption protocols, wireless architecture, attacks on wireless networks, and securing wireless networks. This chapter talks about different but very interesting and important network protocols: routing protocols, especially the Interior Gateway Protocol (IGP).
IGP is used to share the routing information in the form of a routing table within the autonomous system to route traffic and network protocols such as Internet Protocol (IP).
This chapter starts with an explanation of the IGP protocol, various routing protocols, misconfigurations, and the countermeasures that can be implemented to secure the routing protocol from various attacks.
In this chapter, we will cover the following topics:
Now, as we all know, the whole internet is a very big single entity comprising many smaller networks. These smaller networks relate to each other via some routing protocols. So, this means that when any computer is connected to the internet, that computer system is a part of a smaller network – this smaller network in terms of networking is known as the Autonomous System (AS).
These ASs are connected via the Exterior Gateway Protocol (EGP), so if a computer from, say, AS-1 wants to communicate with another computer in AS-2, it transfers via the EGP. An example of EGP is Border Gateway Protocol (BGP).
Therefore, following a similar concept, when computers inside AS-1 need to communicate with each other, they use the IGP. Examples of IGP are Routing Information Protocol (RIP), Open Shortest Path First (OSPF), Interior Gateway Routing Protocol (IGRP), Enhanced Interior Gateway Protocol (EIGRP), and Intermediate System-Intermediate System (IS-IS).
So, before deep diving into the routing protocols, let’s understand the EGP and IGP with a simple diagram as follows:
As shown in Figure 12.1, two autonomous systems are interconnected with each other via EGP routing protocol, and the routers in between are connected via IGP routing protocols.
So, now we have understood the AS and routing architecture, let’s come to understand how the IGP routing protocols work in production environments first.
IGP is used to route the routing information in the form of routing tables with intra-connected routers. Here, IGP is solely responsible for transmitting information to the correct destination (in networking, this is the IP address). If the routing protocols are not defined properly, the messages on the network channel will either miss the destination or will drop at the very next connected network device. Hence, attackers also utilize the misconfigurations of these routing protocols to either sniff or spoof the messages.
So, let’s understand the behavior of some of the primarily used routing protocols in organizations.
RIP is one of the most widely used forms of IGP on internal networks. RIP uses the hop-count technique to identify changes in the network and also recognizes how far the communication in the network can reach.
The hop-count technique is defined as the number of connections (routers here) that are in between the source and the destination. This technique helps the RIP to identify the best and the shortest path between the message originator and the target to receive the message.
RIP works on User Datagram Protocol (UDP) and uses port 520.
So, let’s understand how RIP works using Packet Tracer:
Important Note
The sole purpose of this chapter is to analyze the misconfigurations in the routing protocols. Hence, we expect our readers to know the basics about the routing configurations and backgrounds of the various network devices.
As shown in Figure 12.2, the RIP is configured, and the packet is easily transferred from network 192.168.2.0 to 192.168.1.0.
Let us analyze the RIP configuration using an in-built sniffer in Packet Tracer:
As shown in Figure 12.3, the successful packet submitted is sniffed using the Packet Tracer sniffer.
Important Note
In real-time production environments, we can use Wireshark as a sniffer to analyze the packets as well. But just to demonstrate the behavior of a single packet, we have used the feature built into Packet Tracer.
So, now we have understood the protocol behavior of RIP, let us understand another routing protocol – OSPF.
The OSPF protocol, as the name suggests, is the IGP link-state routing protocol used to transfer packets by filtering the shortest paths in the AS. OSPF is very popular among organizations nowadays, as it transmits the packets at a very high rate, even in larger ASs.
The way that OSPF works is very straightforward. All the routers in the AS will share Link-State Advertisements (LSAs) with their neighboring or adjacent router and all the routers will maintain their Link-State Databases (LSDs). Then, based on this, the shortest path between the routers is calculated. Hence, whenever a sender has to transmit any packet from one machine to another in an AS, the routers from the topology will identify the shortest path and then transmit the packets.
When OSPF was introduced, it was very successful for smaller networks, but when this routing algorithm was introduced for bigger organizations with many routers in an AS, OSPF began to fail, as it takes a lot of time to calculate the shortest links between all the routers. But even after that disadvantage, OSPF is still one of the main routing algorithms implemented in organizations because of its many advantages. A few of the advantages of the OSPF protocol are listed as follows:
OSPF works on port 89 and supports both IPv4 and IPv6. The current version of supported OSPF is v2 for IPv4 and v3 for IPv6.
So, let’s understand OSPF from the following screenshot:
As shown in Figure 12.4, consider a very small AS with five sets of routers – now, consider that router A would like to create the LSD, so it will send the LSA update to each connecting router to update the table. Then, those routers will send the LSA to another connecting router, and once the connected routers update their tables, they will send an update to router A, and router A will update the LSD.
But the question arises here – how will router A or any other connected routers calculate the shortest or the fastest path?
So, the answer is very simple. The OSPF protocol calculates the path via the assigned COST value, and then adds up the total cost to reach to that router. This is shown as follows.
So, let’s say router A would like to send a packet to router C, so let’s calculate the total cost via multiple paths:
So, from the calculation of the paths, the shortest (or the fastest) path is A + E + C = 50. Hence, if any machine connected to router A would like to send a message to a machine connected to router C, the path will be A + E + C. A similar methodology is being used for all other router matrices as well.
So, let us understand this with a simple demonstration, shown as follows:
As shown in Figure 12.5, two adjacent routers are configured to each other and are also connected to their respective computers. Now, PC0 sends a message to PC1, and the message is successfully delivered using the OSPF routing protocol.
So, now we have understood the RIP and OSPF in detail, let’s understand IS-IS protocol behavior.
IS-IS is a link-state routing protocol that was designed specifically for the Open Systems Interconnect (OSI) model by the International Standards Organization (ISO). IS-IS is specially used by the Internet Service Provider (ISP) because of its in-depth scalability.
Some of the characteristics of the IS-IS protocol are as follows:
So, now we have understood the behavior of the IS-IS protocol. Let’s understand IS-IS in more depth.
When IS-IS was originally discovered, it was used as an EGP on the OSI layer, but as the technologies evolved, IS-IS was changed to support TCP/IP protocol, and hence, it was named Dual IS-IS or Integrated IS-IS.
Dual IS-IS was designed to provide the following:
Now, let’s move to another concept in IS-IS called Connectionless Network (Address) Protocol (CLNP).
A CLNP address, known as the net address, in short, is used to assign an address to the routers on Layer 3 as a replacement for the IP address. Hence, CLNP became very popular among CISCOs and is being adopted by large-scale companies. A CLNP address is comprised of three major fields, defined as follows:
Hence, combining the values, the CLNP address will be represented as follows:
49.0001.1111.1111.1111.00 -- CLNP or Net Address
The IS-IS supports a two-layer hierarchy:
IS-IS can work on both layers simultaneously as well. We can define the layers in IS-IS manually but if not defined, the default will be L1/L2.
As shown in Figure 12.6, two routers are successfully connected and are ready to communicate with each other using the IS-IS routing protocol. So, let’s configure the IS-IS routing protocol in both routers:
As shown in Figure 12.7, the IS-IS configuration is successfully built and the routers will now start communicating with each other.
So, now that we have learned about the working and behaviors of various network routing protocols, let us look now at some of the loopholes of these routing protocols.
Router falsification is an attack in which an attacker sends fake or false routing information to the network. Once the intermediate connected nodes (routers here) accept the false routing information, such as fake LSAs (in OSPF), routers tend to update their routing tables. These attacks can prove dangerous, as they lead to website phishing, MITM attacks, eavesdropping, and DNS spoofing.
To perform falsification attacks, a few assumptions are required to achieve the target. The primary assumption is that the attacker cannot be a receiver, but they need to be an originator. This means that the attacker’s machine should be capable of originating the false routing information and should be acting as a forwarder of the falsified routing data, rather than just being capable of receiving the information.
A falsification attacker acting as an originator is described as follows:
As shown in Figure 12.8, router A (RA) is connected to the internet via router B (RB) – router C (RC) is connected to the internet and the internal network the same way as RA. Now, let’s assume that in the actual scenario, RA can advertise its link to the internet through RB, and RC is authorized to advertise the links to the network. As per this scenario, RA is not authorized to advertise any link to the network, meaning that RA cannot control the links to the network, but still has a connecting link to it.
Let’s assume RA is an attacker’s router, which means the attacker is controlling the complete link states, the protocol information such as router IDs, link-state IDs, and the advertising router. Now, RA will advertise the links with fake routing, claiming that the shortest path to reach the network is through RA to RB and the internet. Once RB accepts and modifies the routing table and authorizes the traffic flow, the complete network traffic flow will start flowing through the RA, and the attacker will be able to control the traffic flow.
Now, two things could happen – either based on authorization, the traffic to the network will start flowing through RA, or the traffic will never reach the destination. But in either case, RA will be able to control the network traffic.
So, now we have understood the basics of overclaiming, let’s move on to another concept – disclaiming or misclaiming.
Let’s understand this with the help of an example, as shown in the following screenshot:
As shown in Figure 12.9, let’s suppose RA has authorized some rights in the network but not full control over the network. RA starts sending fake LSA messages to the whole network through RB. Once the fake routing LSAs are accepted, RA will be able to control the network traffic.
Now, we have understood the types of falsification with examples. Let’s look at how we can exploit this with a real-world example, as shown in the following screenshot:
As shown in Figure 12.10, let’s suppose there is an integration of a new server segment in the network, and to integrate the routing, there is a new router, RC, being introduced in the network with OSPF routing.
Now, as per the default behavior of the routers, RC, to build trust with other routers in the network, will start sending the LSA with routing information – say, a 10.1.1.1/24 integration – to other routers. The other connecting routers will start updating their corresponding routing tables without checking the integrity of the routing information.
Let’s assume there is an attacker with a fake router who is also part of this network, is in MITM mode, and will also receive this information. Now, as soon as the attacker’s router receives this information, the attacker also sends a fake LSA packet in the network that the 10.1.1.1/24 network no longer supports, and the new subnet would be 192.168.1.1/24.
As soon as the other routers receive this fake LSA, they will also start updating their routing table information to build trust with the new integrated router and network. Once the routing tables are updated, the attacker will start getting traffic from the other connecting devices for the newly integrated network.
So, this is the falsification of OSPF routing by sending fake LSAs. Now we have understood these routing protocol attacks, let’s look at some other routing protocol attacks
Now, before diving deeper into the attack phase, let’s understand some of the networking basics first to define Distributed Denial-of-Service (DDOS) on control planes.
Planes in networking are simply defined as the dimensions to define how the data packet will be transmitted from the source to the destination and handled during data transmission, as well as the methods of monitoring the data transmission.
Now, these planes, in networking terminology, are divided into three categories:
The control plane decides how to forward the data, which means how the data will be transferred from source to destination. The process of creating the routing table in which the routers store the network paths is part of the control plane.
Now, once the control plane decides on the data transference, the data plane will be responsible for the transfer of data packets. The data plane is also known as the forwarding plane.
The management plane is where the engineers configure and monitor the network devices. The management plane runs on the same processor as the control plane.
So, now we have understood the network planes, let’s look at attacks on the control plane.
A Denial-of-Service (DOS) attack is an attempt to send many packets that will cut off the connection between the users and the network devices by increasing the load on the network or utilizing the machine’s resources. In this case, users won’t be able to access anything in the network.
Now, DDOS, on the other hand, performs the same attack but in a distributed way. A lot of BOTs will send a huge quantity of packets to utilize all the resources, which will eventually down the device and the users in the network won’t be able to access it.
Now, in the case of a control plane DDOS attack, the attackers would send a huge quantity of control packets to the device’s control plane, which would result in exhaustion and an excessive load on the router that disrupts the network communications.
A reflection attack on the control plane is another type of DOS attack that is typically different from the original DOS or DDOS attack. The reflection attack is performed in two main phases:
So, now we have learned about the various attacks on the control plane, let’s look at some of the attacks on the management plane.
Important Note
Performing DOS or DDOS attacks in the real-world network should be avoided, as it could bring down the whole network – losing one router or switch connection in the network can result in losing the entire network connection. Hence, demonstrating DOS or DDOS attacks is not possible for this section.
Routing tables are defined as the set of rules and information presented in a tabular format that determine the route of the traffic in the network. The routing table is the most important part of any routing protocol, as it represents the configuration of the routers concerning the IP addresses and is directly connected to neighboring routers.
The routing table usually consists of the destination IP address, subnet mask, and interface. This is shown as follows:
Destination Address |
Subnet Mask |
Interface |
192.168.1.0/24 |
255.255.255.0 |
FastEthernet0/0 |
192.168.2.0/24 |
255.255.255.0 |
FasthEthernet0/1 |
Default |
FastEthernet0/1 |
The default gateway corresponding entry to the destination address in the routing table is always 0.0.0.0 and the subnet mask is always set to 255.255.255.255.
Now, as we all know, the routing packet contains complete information about the source and the destination address. This information helps to build a proper routing table so that the routing protocol can decide the best path, as we have already seen with the OSPF protocol, and after choosing the best and shortest path, this information is also stored in the routing table.
Hence, while sending the packets from any source to the destination, the routing table will instruct the device to send packets to the next hop. The following entries are stored with every single entry in the routing table:
So, let’s now see how this routing table looks in a router using a packet tracer.
As shown in Figure 12.11, the show IP route command is used to showcase the routing table information.
Let’s look at the directly connected devices, as shown in the following screenshot:
As shown in Figure 12.12, the show ip route connected command shows the next hops directly connected to Router0, to which the packet will be transferred.
Now, before exploring routing table poisoning, let’s understand the issue with the Distance Vector Routing (DVR) protocol first.
The main problem with DVR is that if any router fails, the other routers will take some time to be notified about the failure, and in the meantime, the other routers will start sending the data packets, which will eventually create an infinite loop. Let’s understand this with the help of an example:
As shown in Figure 12.13, there are three connected routers (R0 -> R1 -> R2). Now, let’s take an example here – from R1 to R2, the total cost of a packet is 1, and from R0 to R2, it is 2.
After some time, R2 goes down, and the connection between R1 and R2 is disconnected. Now, once R1 learns about the failure, it will automatically remove the path from its table. But before sending an update to R0, R1 receives an update from R0. Now, R1 will send back an update that the total cost to reach R2 will be 3, and then once R0 receives an update, it will send the next packet with a cost of 4, and the loop will continue. This is called the Count to Infinity problem, in which the routers keep on sending false information about the cost and paths to each other in a never-ending loop.
This problem has two solutions, as listed:
Now, once the routers receive the infinity value, all the routers accept this information and modify the routing table. But the main issue with route poisoning is that the number of announcements increases, which can flood the environment.
Now we have understood the routing table, its issues, and why routing poison was introduced. Now, think from an attacker’s perspective that if an attacker starts sending fake announcements in the network and can modify the routing tables, it eventually causes the network to malfunction or be completely compromised.
Now, we can create the packets and route for fake routing table entries – there is an automated tool for this written by Frederico. You can find it here: https://gitlab.com/fredericopissarra/t50/-/releases.
The following figure shows the automated tool attack:
As shown in Figure 12.14, 1,000 fake packets are flooded and will poison the routing tables with fake entries.
Now, similar types of attacks can be performed on the management plane, in which an attacker attacks and controls the switches:
As shown in Figure 12.15, the show mac-address table presents the CAM table entries in the switch.
Now, an attacker can flood this CAM table with fake entries using the macof tool, which is pre-installed in Kali Linux. The following screenshot shows the macof tool:
As shown in Figure 12.16, 10 entries in the MAC table were sent to poison the MAC table of the switch connected at eth0.
Now that we have seen the attacks on switches and routers, let us look at the security configurations for routers.
Nowadays, building networks is much more complex than it used to be. Performing network-related tests is a much more difficult task for network administrators, especially in terms of bandwidth testing, any glitch that has caused the intermediate connecting network devices to disconnect from the network, or tracing the packet loss between the host and the server.
Therefore, packet generation plays a vital role in troubleshooting network issues. Hence, packet generation is a type of traffic generation that defines the flow of the packets and data sources between the client and the server in a packet-switched network. For example, in the case of the web, traffic is sent in the form of web packets to be received and sent by the user’s browser.
Therefore, traffic generation defines the flow of certain traffic between the sender and the receiver in a certain format and network, such as cellular networks or computer networks.
Now, for this book and chapter, we will focus on computer networks, but please feel free to explore cellular traffic as well.
To analyze the traffic performance in real time, there are numerous tools present on the internet such as Bwping or iperf. But as per my experience, network administrators generally prefer using iperf, because it is very user-friendly, comes with multiple options, is compatible with Windows and Linux (both flavors), gives accurate details, and most importantly, can generate both TCP and UDP packets.
So, let us analyze the traffic bandwidth by generating a certain number of packets between the client and server.
Now, to generate the traffic between two hosts, we need to create a server listener at one end, as shown in the following screenshot:
As shown in Figure 12.17, a listener is a setup at the one end of the network. Now, let’s set up a client on another end of the network, as shown in the following screenshot:
As shown in Figure 12.18, the machine on another end is connected to the machine with the listener open, and as we can see, there is an exchange of traffic at a bandwidth rate of 35.4 Gbits/sec.
We can monitor the same thing in the system monitor window, where the memory utilization graph peaks during the exchange of traffic or traffic generation:
As shown in Figure 12.19, before the client connected to the listener machine, the traffic exchange was normal and CPU utilization was lower, but as soon as the client is connected to the server, there is an exchange of traffic, causing the CPU utilization to immediately go up and manifesting as a visible peak in the network.
Now, attacks on the data plane are similar to the types of attacks we have seen performed on the management plane, but the nature of the attacks will be completely different.
So, as we know, the data plane is the carrier of the data packets – hence, the following are the levels of attacks that can be performed here:
So, let’s look at a DOS attack on the data plane:
As shown in Figure 12.20, the attack is started at port 80 on a server running at 192.168.64.130. After some time, the server wasn’t reachable:
As shown in Figure 12.21, the service is down. Now, we have seen multiple attacks on routers and routing protocols, let’s look at the security configurations at the router’s end.
Now we have seen various types of attacks on routers, let’s look at the high-level security best practices that can be applied to the routers to protect against various levels of attacks:
NetFlow – A technology used by network administrators to monitor the traffic flow to and from the routers.
Hence, a strong login password should be set for SSH. In addition to this, the administrators should use a stronger encryption mechanism to authenticate the administrators at the router’s IOS config level. This can be achieved by using the enable secret command.
Another security implementation that should be carried out is the implementation of the TACACS+ or Radius password management server. This enables the authentication requests to check the access level granted to the users or groups first and then based on the permissions set, the access is granted or denied.
Network administrators should also set the lockout feature in routers. This will prevent and lock the users after three to five failure attempts:
There are other types of ACLs besides infrastructure ACLs, known as VLAN ACLs (VACLs). These VACLs will enforce the traffic rules routed to and from inter-VLAN or intra-VLAN. These VACLs protect the environment using both segmentation and segregation. For example, SWIFT environments are often placed in an isolated zone, and these are separated from the whole environment using the VACLs:
Important Note
These are some of the important configurations that protect against network intrusions. For the complete information, CISCO has published a complete document on secure router configurations. Please follow the link for complete information: https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html.
BGP is an EGP that was introduced in 1984 as v1 to route the network packets by choosing the best routing path. Hence, BGP is also known as the dynamic routing protocol.
So, as time evolved, the internet started growing, and the network traffic eventually started putting a greater load on the communication channels. Hence, the BGP was reframed and multiple versions were introduced. The current version of BGP is v4.
Now, as we know, for routers to communicate outside of their AS, they need to have BGP configured. The local network administrator will not know which AS number they should configure under. So, to solve all the AS and BGP configuration issues, all organizations take the AS configurations from their ISP. Hence, the ISP will put the organization’s network routes under its own AS, making it a single AS to route traffic from the organization to the global internet.
So, as with OSPF, BGP also transfers the data by choosing the best path for transfer, but not in the way that OSPF parameters do. BGP works with path parameters to choose the best, such as based on the number of hops, which in networking terms, is known as the distance vector protocol. In this way, the routing protocol will calculate the number of hops between the source and destination. This is shown as follows:
As shown in Figure 12.22, the source AS, A100, sends the requests and collects the responses from both distance vectors. Now, based on distance vector calculation, BGP will choose Distance vector 2 as the best path, as it only has two AS hops to reach the destination.
Now, there is another very important concept in BGP – it’s programmed to work smartly to avoid loops horizons. This means that if the source AS receives a loop AS a number of its own, creating a loop, then it simply rejects the path and chooses the second-best path after this. Let’s understand this with the help of a diagram as follows:
As shown in Figure 12.23, the first distance vector that BGP receives forms a loop, and hence, BGP will simply drop the path. So, let us now look at the BGP tables and messages.
BGP creates three tables:
BGP uses four different types of messages:
So, now we have covered the operation of BGP. Let us now look at how BGP works in real time through simulation in Packet Tracer:
As shown in Figure 12.24, the BGP is configured for Router1, and the same configuration is being done at Router0 and Router2. Now, once all the routers learn about each connecting node, the source can then start the data transmission.
Now, we have learned the BGP in depth. Let’s look at some of the flaws of BGP.
BGP hijacking in simple terms is defined as the rerouting of the ongoing traffic from one AS to another AS, which is completely owned by the attackers. BGP hijacking is also known as prefix, route, or IP hijacking.
Let’s understand this with a small example. Imagine every day everyone takes different routes from home in the morning to reach the same destination, which only has a single road to go and come back from it. Now, suddenly, one day, a parallel road is designed by hijackers, and as an announcement, a sign has been installed that signals that this is the shortest road to reach the destination, so everybody turns down that newly built road. After this, all of the traffic will eventually be hijacked by the attacker. Let’s frame this with a simple diagram, as shown in the following figure:
As shown in Figure 12.25, an attacker or a hijacker created a fake road just parallel to the other road, so now all the traffic will be rerouted to the fake road.
So, a similar idea can be applied to BGP hijacking. Now, attackers will corrupt the internet routing tables and illegitimately take over the IP addresses. To achieve this, the attackers will own a router and announce the IP addresses that are currently not assigned to the attacker’s router. This request will offer the other routers to route the traffic with the shortest path and the source router will add the router ID to the BGP routing table, which will eventually redirect the traffic to the attacker’s own IP address. The complete attack pattern is shown in the following screenshot:
As shown in Figure 12.26, an attacker announced an IP address with the shortest route for the destination.
So, now that we have learned about BGP hijacking, let’s look at what would happen if the BGP is hijacked:
There will be many other scenarios, such as hackers performing BGP hijacking in 2018 who were able to steal approximately $152,000 in the form of digital money or cryptocurrency.
Now, let’s demonstrate BGP hijacking in a real-time scenario, as shown in the following figure:
As shown in Figure 12.27, the current BGP configuration for the corresponding next hop in the R5 router for the 1.0.0.0 network is 9.0.6.1/9.0.7.1, and similarly for other networks as well.
Now, an attacker will create a rogue AS and fake the route information to send the traffic through the rogue AS, as shown in the following figure:
As shown in Figure 12.28, with a fake AS, there is a new entry to the 1.0.0.0 network with the corresponding next hop being 9.0.8.2/9.0.5.2. Now, all the traffic will be routed through these new network configurations.
Now, we understand how dangerous it would be if BGP protocol was hijacked. So, let’s understand how we can protect it.
The following methods can be used to prevent BGP hijacking:
In this chapter, we learned in depth about how types of IGP and EGP such as OSPF, RIP, BGP, and IS-IS and their corresponding analyses using various packet sniffers and GUI-based network simulations such as Packet Tracer and GNS3. Then, we learned about the BGP. Apart from routing protocols, we performed various practical demonstrations of attacks such as routing table poisoning and BGP hijacking and also learned about the various mitigation techniques of routing protocols and how we can securely configure the routers.
Now, in the next chapter, we will learn about a very important protocol from the attacker’s point of view, which is Domain Name Service (DNS), its behavior analysis using sniffers, and the practical demonstration of various real-time attacks on DNS.