OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: bashis (bashNS.WCD.SE)
Date: Thu May 03 2001 - 12:57:41 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi

    I was playing with Cisco's HSRP (Hot Standby Routing Protocol),
    and there is a (major) weakness in that protocol that allow
    any host in a LAN segment to make a HSRP DoS.

    Short (very) explain of HSRP.
    HSRP uses UDP on port 1985 to multicast address 224.0.0.2,
    and the authentication is in clear text. (default: cisco)

    I include a small program that sends out a fake HSRP packet,
    when it hear a legal HSRP packet, as a "proof of concept" code...

    Vendor was notified about this 14 April 2001,,
    and their response was to use HSRP with IPSec.
    http://www.cisco.com/networkers/nw00/pres/2402.pdf

    [cut from src]
    /*
     * Description:
     * This code listen for any HSRP packet, when it hear one HSRP packet,
     * it capture this, modifies some of HSRP protocol parameters, and send out
     * a fake HSRP packet that tells other routers that I am the active router,
     * I have highest priority and you should be 'Standby' or silent..
     *
     * If the other active, and legal router has highest possible
     * priority (255), then they will fight.. ;-) , AND it seems
     * in my tests that the legal router who 'wishes' be active router,
     * IS allready active, so no DoS will occure. (only UDP flood from both)
     */

    --
    \0x62\0x61\0x73\0x68\0x69\0x73