Laboratorio de protección de protocolos de enrutamiento

Para evitar un ataque DoS vía spoofing a travez de un AP ilegal, instalado accidentalmente o no, y este enlazado

con un equipo generador de tráficode enrutamiento. Utilizamos un routerboard Mikrotik RB433 ( AP cómplice y

router todo en uno), luego mitigamos mediante ACL y autenticación vía hash MD5.

Fecha: 25 de Agosto 2011 Instructor: Ernesto Vilarrasa

                                

                Escenario (se realizó con equipos reales, diagrama en PT)

 

 

OSPF configurations for MD5 Authentication: MD5 authentication provides higher security than plain text authentication.

This method uses the MD5 algorithm to compute a hash value from the contents of the OSPF packet and a password (or key).

This hash value is transmitted in the packet, along with a key ID and a non-decreasing sequence number. The receiver, which knows

the same password, calculates its own hash value. If nothing in the message changes, the hash value of the receiver should match the

hash value of the sender which is transmitted with the message.The key ID allows the routers to reference multiple passwords.

This makes password migration easier and more secure. For example, to migrate from one password to another, configure a password

under a different key ID and remove the first key. The sequence number prevents replay attacks, in which OSPF packets are captured,

modified, and retransmitted to a router. As with plain text authentication, MD5 authentication passwords do not have to be the same

throughout an area. However, they do need to be the same between neighbors.

 

Fuente: http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml

 

Ataque de DoS en el primer sh ip route vemos la red alcanzada vía enlaces serial, mediante balance de carga,

con un costo OSPF de 782, luego de la inyección de paquetes, el costo disminuye debido al mayos ancho

de banda vía LAN (dos segmentos de 100 mbps para alcanzar el falso destino)  Obviamente esta red, al no existir

realmente, pasa a ser inalcanzable para los hosts, aunque figure en la tabla de enrutamiento.

 

 

 

Mitigando el ataque

 

ACA#show runn

Building configuration...

 

!

hostname ACA

!

ip dhcp excluded-address 192.168.0.2

ip dhcp excluded-address 192.168.0.3

!

ip dhcp pool POOL

   network 192.168.0.0 255.255.255.0

   default-router 192.168.0.1

!

interface FastEthernet0/0

 no ip address

 shutdown

!

interface FastEthernet0/1

 description LAN

 ip address 192.168.0.1 255.255.255.0

 ip access-group 100 in (asocia la ACL a esta interfaz)

!

interface Serial0/0/0

 ip address 10.0.0.1 255.255.255.252

 ip ospf message-digest-key 1 md5 clave

 clock rate 125000

!

interface Serial0/0/1

 ip address 10.0.0.5 255.255.255.252

 ip ospf message-digest-key 1 md5 clave

!

router ospf 1

 log-adjacency-changes

 area 0 authentication message-digest

 passive-interface FastEthernet0/1 (no publica por esta interfaz, o sea si conectamos 
 network 10.0.0.0 0.0.0.3 area 0   un sniffer en la red, no capturamos tráfico de  protocolos

 network 10.0.0.4 0.0.0.3 area     de enrutamiento, pero SI se incluye esta interfaz en el enrutamiento)

 network 192.168.0.0 0.0.0.255 area 0  

!

access-list 100 deny ospf any any (deniega tráfico OSPF entrante,es un segmento final, sólo PCs)

access-list 100 permit ip any any (permite el resto, también puede hacerse mas específico)

!

end

 

ACA#show ip route

 

     10.0.0.0/30 is subnetted, 2 subnets

C       10.0.0.0 is directly connected, Serial0/0/0

C       10.0.0.4 is directly connected, Serial0/0/1

C    192.168.0.0/24 is directly connected, FastEthernet0/1

O    192.168.1.0/24 [110/782] via 10.0.0.6, 00:15:16, Serial0/0/1 (balance de carga por igual costo,

                    [110/782] via 10.0.0.2, 00:15:16, Serial0/0/0 formula: 10^8/1544000 [BW bps])

ACA#show access-lists

Extended IP access list 100

    10 deny ospf any any (142 matches) (deniega tráfico OSPF vía red local)

    20 permit ip any any (99 matches)

 
Note: The area authentication command in the configuration enables authentication for all the interfaces of the router in a particular area. 
You can also use the ip ospf authentication command under the interface to configure plain text authentication for the interface. 
This command can be used if a different authentication method or no authentication method is configured under the area to which the interface belongs.
It overrides the authentication method configured for the area. This is useful if different interfaces that belong to the same area need to use different
authentication methods.                                                                           

        

EIGRP configurations for MD5 Authentication Para evitar ataques de DoS a travez de spoofing.

 
 Caution: When EIGRP message authentication is added to the interface of a router, that router stops receiving routing messages from its peers until 
they are also configured for message authentication. This does interrupt routing communications on your network. 
 
Router#configure terminal
Router(config)#key chain EIGRPSECURE
Router(config-keychain)#key 1
Router(config-keychain-key)#key-string securetraffic
Router(config-keychain-key)#exit 
Router(config)# router eigrp 100
Router(config-router)#network 192.168.1.0 0.0.0.3
Router(config-router)#passive-interface fastEthernet 0/0
Router(config-router)#exit
Router(config)#interface serial 0/0/0
Router(config-if)#ip address 192.168.1.2 255.255.255.252
Router(config-if)#ip authentication mode eigrp 100 md5
Router(config-if)#ip authentication key-chain eigrp 100 EIGRPSECURE
Router(config-if)#exit
Router#
 
Router#debug eigrp packets
17:43:43: EIGRP: ignored packet from 192.168.1.1 (invalid authentication)
17:43:45: EIGRP: ignored packet from 192.168.1.1 (invalid authentication)

 

Fuente: http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00807f5a63.shtml                                                                                                                                                      
 
 
Sexy girls don´t understand about networking
(2011) Ernesto Vilarrasa