9 - 1 IP Routing – SANS GIAC LevelTwo ©2000, 2001 1 IP Routing After completion of this webcast, the student will have a good foundation of how packets are routed across IP networks. First we will examine the concept of static routing that most hosts use to decide how to send traffic originating from the local host. We will also briefly introduce the Ethernet protocol, since the majority of the IP network traffic is routed using this link layer medium. Much of the traffic that needs to be routed is between hosts on the same physical network and that is where the link layer comes into play. Routing protocols provide the basis by which information is transferred between hosts on the Internet. We’ll look at these protocols that provide for dynamic routing. They are divided into major categories based on a specific operating environment. Besides explaining these various environments, we will examine their potential strengths and weaknesses. Furthermore, we will attempt to provide a basic overview of how the different protocols are susceptible to attack and how some of these threats can be mitigated through simply router configuration changes. 9 - 2 IP Routing – SANS GIAC LevelTwo ©2000, 2001 2 Objectives •Static Routing – Sending packets from the local host • Address Resolution Protocol (ARP) – Getting packets from hop to hop – Examples of malicious activity • IP Options – Loose source routing – Strict source routing • Dynamic Routing Protocols – Interior Gateway Protocols – Exterior Gateway Protocols The “Objectives” slide outlines the different topics that we will be covering. First, we will look at static routing which hosts employ to send traffic. Then, we’ll examine the protocols involved in the transmission of packets on the local network. This will be followed by a discussion of IP options and how they can be used to alter the course of packets as they travel toward their destination. Then various protocols that govern how packets traverse IP networks will be investigated. Specifically, we will examine all of the protocols that affect the transmission of a packet from one host to another. This transmittal can be as simple a sending a packet from one host to another on the same local subnet, or as complex as sending a packet across the world. 9 - 3 IP Routing – SANS GIAC LevelTwo ©2000, 2001 3 Static Routing All hosts regardless if they are routers or not have to be able to make initial decisions about how to send traffic from the local host. They maintain a basic list known as a routing table that directs traffic from the local host based on its final destination. This table is referenced often by the host sending traffic, yet it is not updated very frequently – hence the name static routing. In this section, we will examine the types of decisions hosts need to make about routing traffic and some of the susceptibilities and exploits associated with static routing. 9 - 4 IP Routing – SANS GIAC LevelTwo ©2000, 2001 4 Local Routing Table netstat -rn Routing Table: Destination Gateway Flags Ref Use Interface ---------------- ------------- ----- ----- ------ --------- 1.2.3.0 1.2.3.4 U 3 5 le0 127.0.0.1 127.0.0.1 UH 0 472 lo0 default 1.2.3.1 UG 0 5444 Look at the “Local Routing Table” slide to see a Unix host’s relatively static list of routes. The routing decisions are made based on the destination of the traffic that is to be sent. This table was generated using the netstat command with the -r n options that indicate to list the routing table, but do not try to resolve IP numbers to host names. This routing table is for host 1.2.3.4 on the 1.2.3.0 network. The first line in the table says that any traffic bound for the 1.2.3.0 network should be directed through the local host 1.2.3.4 using interface le0 which is one of its network interface designations. The flag of U says that this route is up and the reference count indicates how many current connections are established through that interface and the use column indicates how many packets have traveled through the interface. The second line is for the local loopback address that is designated as 127.0.0.1. Some processes such as X terminal applications (Netscape) require that the host talk to itself and this is the interface through which that occurs. The final line indicates the default destination that traffic should be sent if it doesn’t match any of the other destinations in the routing table. This is a default gateway (noted with the G in the Flags column) which is a router that will forward the traffic and direct it a hop closer to its final destination. This is used for traffic that is destined for somewhere other than the 1.2.3.0 network and the local host. 9 - 5 IP Routing – SANS GIAC LevelTwo ©2000, 2001 5 Static Routing Decisions • IP layer searches the routing table in the following manner: – Search for a matching host address – Search for a matching network address – Search for a default entry Turning to slide “Static Routing Decisions” ,we see how the IP layer uses a routing mechanism to make routing decisions of which interface to direct traffic. If the destination host matches the routing table’s destination entry, the traffic is routed through the corresponding interface. If there is no such matching entry, then the destination address is compared against all the routing table destination entries to see if the network addresses match. The network address is determined by combining the specified IP address and the subnet mask for the network. The first match is sent to the specified network interface. Finally, if nothing else matches, the traffic is sent to the interface with the “default” designation. This is usually a router on the same local network that will forward the traffic to the destination. Many hosts do not act as routers meaning that they do not forward traffic received through one interface to another interface. Yet, they still need to be able to route traffic generated on the local host to the correct interface. This is an important distinction. 9 - 6 IP Routing – SANS GIAC LevelTwo ©2000, 2001 6 How Are Routes Added? • Static routes are typically added during the boot process • Administrative changes can be made with the “route” command • ICMP router discovery messages The next topic of discussion “How Are Routes Added?” is found on the following slide. Since these routes are fairly static, they should be assigned during the boot process and remain mostly unchanged. Some Unix systems have a file /etc/defaultrouter that initializes the routes; others configure the routes in the boot scripts using the route command. The route command can be used by the administrator to make changes for new interfaces. Another way for a host to receive initial routes after the boot process is to issue a router solicitation message using ICMP router discovery. Routers can respond to these solicitations to inform the host of the router IP addresses along with a lifetime or number of seconds that the advertised router addresses are considered to be valid. 9 - 7 IP Routing – SANS GIAC LevelTwo ©2000, 2001 7 How Are Routes Changed? • ICMP redirect messages • ICMP router discovery messages Slide “How are Routes Changed?” lists the ways in which a relatively static routing table can be informed of best routes or changing conditions on the network. A host might have entries in the routing table that are not the most efficient ones. When this happens ICMP redirect messages are sent to the host by a router that detects it is not the optimum router to be used. The host will adjust its routing tables to use a more optimum router when sending traffic the next time to the destination address that elicited the message. Hosts that use the ICMP router discovery protocol (IRDP) can receive periodic advertisements of available routers. They can change their routing tables to reflect any new information received. 9 - 8 IP Routing – SANS GIAC LevelTwo ©2000, 2001 8 Redirect non-optimum router misguided sending host target host optimum router send datagram to target host use optimum router next time datagram delivered to target host non-optimum.router > sending.host : icmp: redirect target.host to net optimum.router The “ICMP Redirect” message discussed on the next slide allows a router to tell a sending host that it is not the optimum router to be used for sending the traffic to the desired destination. The non- optimum router forwards the traffic to the destination, but informs the sending host to change its routing table so that a more optimum router is chosen the next time traffic is sent to the same destination host. In the case of the above slide, we have a misguided sending host attempting to send traffic to the target host. It routes the traffic through the non-optimum router that forwards the traffic. However, it issues an ICMP redirect to the misguided sending host to use the optimum router the next time. Most hosts will perform some checks before changing their routing tables: 1) The optimum router must be on the directly connected network 2) The redirect must be from the non-optimum router that was attempted 3) The redirect must not tell the host to use itself as the optimum router 4) The optimum router must be a router and not a host 9 - 9 IP Routing – SANS GIAC LevelTwo ©2000, 2001 9 IRDP DoS Exploit spoofing.host > duped.host : icmp: router advertisement duped.host default.router normal route redirected default route IRDP message spoofing.host black hole 4.4.4.4 Now, for a different type of scenario for malicious ICMP messages, look at the next slide “IRDP DoS Exploit”. In this case, we have a local or remote host that spoofs an ICMP router discovery protocol router advertisement. The duped.host listens for IRDP advertisements, receives one from spoofing.host, and changes its routing table so that the default router is 4.4.4.4. Router 4.4.4.4 does not exist or is not accessible to duped.host on the local network. So, all traffic that duped.host sends outbound will end up in a black hole essentially causing a denial of service for outbound traffic for duped.host. 9 - 10 IP Routing – SANS GIAC LevelTwo ©2000, 2001 10 IRDP Windows Exploit windows.host 192.168.59.181 default.router 192.168.59.1 Actual default route redirected default route ICMP router advertisement spoofing.host 192.168.59.5 Network Dest Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.59.1 192.168.59.181 1 0.0.0.0 0.0.0.0 192.168.59.5 192.168.59.181 0 Actual router Bogus router Let’s examine an IDRP attack seen on the slide “IRDP Windows Exploit”. As the name implies this attack is mostly limited to Windows hosts (95, 98 and 2000) although some Solaris hosts too are susceptible. If a Windows hosts runs as a Dynamic Host Configuration Protocol (DHCP) client, it will obtain its default route from the DHCP server. However, using IRDP Router Advertisements, a Windows host can be convinced to use a different (incorrect) default route. As you’ve no doubt witnessed from previous IRDP exploits, the ICMP Router Advertisement packets have no way to authenticate that the sender is a legitimate trusted host. Therefore, if we can dupe the Windows host into believing an incorrect default route, we can reroute data leaving the targeted host. The means by which this is done is by sending a Router Advertisement that contains two or more router addresses to the target Windows host. Normally, if just one router address is included in the Router Advertisement, the receiving host examines the source IP to make sure if it is in the same subnet. However, this same check erroneously is not validated for subsequent addresses in the Router Advertisement. Therefore, a host outside the network can spoof multiple Router Advertisements and send them to the target host (assuming the site does not block this type of ICMP message inbound). Another field in the Router Advertisement tells the metric to be used. The formula for computing this for Windows hosts is to subtract 1000 from the received metric value. In other words, if the metric in the Router Advertisement that is sent is 1000, the receiving host will assign a metric of 0 to this route. What this effectively does is to give this metric a higher precedence than the existing default router entry with a default metric of 1. Look at part of the Windows routing table above to see the default and bogus entries. At this point, traffic will be redirected to the default router assigned by the Router Advertisement packet with a metric of 0. The man-in-the-middle host would then have to have IP forwarding on to send the wayward packets through the real router. This attack was submitted as for GIAC certification by Kevin Black. Many thanks to Kevin for his great analysis. [...]... Systems 9 - 19 IP Route Options Codes 0x83 - Loose Source Route Option 0x89 - Strict Source Route Option 0x07 - Record Route Option code length ptr IP Address #1 IP Address #2 IP Address #3 IP Routing – SANS GIAC LevelTwo ©2000, 2001 IP Address #9 20 On the slide, IP Route Options” the format for the IP options that involve routing is displayed The code field defines the type of IP option that... the example shown on the slide, the IP option list will contain the following addresses that were discovered during its traversal from host A to host X: P, D, and R 9 - 23 Detecting Source Routing • IP header is greater than 20 bytes • IP option field has a hexadecimal value of: 83: loose source routing 89: strict source routing ip[ 0] & 0xf > 5 and (ip[ 20] = 0x83 or ip[ 20] = 0x89) 14:19:31.800000 1.2.3.4... obviously been spoofed 9 - 25 IP Options Review • IP options are rarely used • IP options can be used to record the path that a packet takes • IP options can be used to alter the routing of a packet • Correct router configuration can stop these packets IP Routing – SANS GIAC LevelTwo ©2000, 2001 26 To briefly wrap up what we’ve learned in this section, turn to IP Options Review” IP options were used at... network topology 9 - 29 Distance Vector Routing Protocols Characteristics • Routing information exchanged in periodic updates • Relatively slow convergence • Routing based on hop counts Protocols RIP Version 1 Version 2 [Uses UDP port 520] [Uses UDP port 520] Interior Gateway Routing Protocol (IGRP) [Uses IP Protocol 88] Enhanced IGRP (EIGRP) [Uses IP Protocol 88] IP Routing – SANS GIAC LevelTwo ©2000,... normal dynamic routing will be pre-empted so that spoofed traffic can actually purport to be from one source IP yet be returned to an entirely different IP from a hostile host Disallow source routed traffic into your network 9 - 26 Dynamic Routing Protocols IP Routing – SANS GIAC LevelTwo ©2000, 2001 27 In our next section “Dynamic Routing Protocols”, we begin our examination of the routing decisions... 192.168.5.5: icmp: echo reply (DF) IP header length 4f00 0028 b5cb 4000 fe01 b229 0102 0304 IP options c0a8 0505 8327 0402 0304 0501 0101 0102 etc IP Routing – SANS GIAC LevelTwo ©2000, 2001 24 Examine on the next slide “Detecting Source Routing First, we have to detect an IP header of greater than 20 bytes The IP header length is stored in the first byte of the IP header in the low order nibble Values...Static Routing Review • Hosts maintain tables of destination routes • These tables are normally static • Initialized by boot scripts or IRDP • ICMP messages can change entries IP Routing – SANS GIAC LevelTwo ©2000, 2001 11 Slide “Static Routing Review” summarizes what we’ve learned in this section Each host has a routing table that is the mechanism used by the IP layer to direct traffic... 9 - 17 IP Options IP Routing – SANS GIAC LevelTwo ©2000, 2001 18 The next section begins with the slide IP Options” The IP options are specified in detail in RFC 791, “Internet Protocol” They are appended to the end of the IP header and get processed by each router as the packet travels to its destination As the Internet has grown, however, these options have become unnecessary Processing IP options... correctly 9 - 18 What are IP options? Security Stream Identification Internet Timestamp Loose Source Routing Strict Source Routing Record Route These Options represent potential security holes that can be used to attack your network IP Routing – SANS GIAC LevelTwo ©2000, 2001 19 The next slide is “What are IP Options?” Initially these options were designed as an enhancement to the IP protocol to perform... this class of routing protocols 9 - 30 Link State Routing Protocols Characteristics • Relatively fast convergence • Each router maintains route table for entire network • Flooding of routing updates Protocols Open Shortest Path First (OSPF) [ Uses IP Protocol 89] Intermediate System-Intermediate System (IS-IS) IP Routing – SANS GIAC LevelTwo ©2000, 2001 31 With the slide “Link State Routing Protocols” . Detection Systems. 9 - 20 IP Routing – SANS GIAC LevelTwo ©2000, 2001 20 IP Route Options IP Address #1 IP Address #2 IP Address #3 IP Address #9 . . . code. network and the local host. 9 - 5 IP Routing – SANS GIAC LevelTwo ©2000, 2001 5 Static Routing Decisions • IP layer searches the routing table in the following