Response: How bad is the OSPF vulnerability exposed by Black Hat? | Routing Freak!

Manav breaks down the OSPF vulnerability from Black Hat 2013 and confirms that it practical and viable failure of the OSPF protocol.

So it was with certain skepticism that i started looking at yet another OSPF vulnerability exposed by Gabi, again at Black Hat. Its only when i started delving deep into the attack vector that the real scale of the attack dawned on me. This attack evades OSPF’s natural fight back mechanism against malacious LSAs which makes it a bit more insidious than the other attacks reported so far.

I’ve had this article in by browser for quite some time, I’ve re-read it a few times before I feel like I understand it well enough. But the conclusion seems clear:

In the attack that Gabi described, the victim router does not recognize the malacious LSA as its own and thus never attempts at refreshing it. As a result the malicious LSA remains stealthily hidden in the routing domain and can go undetected for a really long time. Thus by controlling a single router inside an AS the one that will flood the malacious LSA, an attacker can gain control over the entire routing domain. In fact, an attacker need not even gain control of an entire router inside the AS.  Its enough if it can somehow inject the malacious LSAs over a link such that one of the OSPF routers in the network accept this.

You should read the article which explains that it’s somewhat straightforward to permanently compromise an OSPF routing table with a route or perform a denial of service. As I read it, there is no workaround unless the OSPF  device either adds new validation to the LSA validation ( you do not permit OSPF neighbours across untrusted boundaries. Which would be best practice. Route filtering or ACLs will not prevent this attack.

Vendors security advisories suggest that this problem is likely to have been solved.

via How bad is the OSPF vulnerability exposed by Black Hat? | Routing Freak!.

About Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at and on Twitter @etherealmind and Google Plus

You can contact Greg via the site contact page.

  • Tom Dwyer

    Well authenticating your OSPF adjacencies with md5 would be a mitigation method I would suspect.

Subscribe For Weekly Updates by Email

Get a Weekly Summary of Latest Articles and Posts to your Email Inbox Every Sunday

Thanks for signing up. Look for the email from MailChimp & make sure you confirm your email address. You may need to check your spam or gmail settings to be sure of receiving the email.

Note: You can unsubscribe at any time using the link at the bottom of every email.