没有合适的资源?快使用搜索试试~ 我知道了~
14 夏云峰 基于OSPF路由协议的路由欺骗分析1
需积分: 0 3 下载量 3 浏览量
2022-08-03
19:48:57
上传
评论
收藏 2.74MB PDF 举报
温馨提示
试读
90页
摘要东南大学硕士学位论文ABSTRACTRouting protocol is the core of network infrastructure. OSPF
资源详情
资源评论
资源推荐
摘要
I
ANALYSIS OF ROUTE SPOOFING
BASED ON OSPF ROUTING PROTOCOL
A Thesis Submitted to
Southeast University
For the Academic Degree of Master of Engineering
BY
XIA Yunfeng
Supervised by
A.Prof SONG Yubo
School of Information Science and Engineering
Southeast University
April 2014
东南大学硕士学位论文
II
摘要
路由协议是网络基础设施的核心,目前 OSPF 路由协议是一种使用广泛的内部网关
路由协议。本文研究 OSPF 协议的安全性,在分析 OSPF 协议安全机制以及已有攻击方
法的基础上,提出了四种新的攻击方法。这些攻击方法利用不同方式注入恶意的链路状
态通告(LSA),修改路由器路由表,从而实现路由欺骗。本文同时设计实现了 OSPF
渗透测试系统,该系统可对 OSPF 网络进行安全性测试。全文主要工作如下:
1. 提出了一种邻接欺骗攻击。该攻击主要针对 OSPF 网络中边界路由器未设置为
被动接口的场景,攻击者伪装成一台合法的路由器接入到 OSPF 网络中,注入
恶意的 LSA。利用该攻击可实现网页欺骗、密码嗅探、中间人攻击、DNS 欺骗
等效果。
2. 提出了一种双 LSA 远程多注入攻击。该攻击主要针对攻击者获得网络路由器拓
扑及参数的场景,利用远程路由器的身份注入两个恶意的 LSA。与 Nakibly 等
人提出的双 LSA 注入攻击相比,它可逃避自反击机制,同时增大了污染区域。
这种攻击不仅可实现网页欺骗、密码嗅探等效果,还能控制流量的中间传输路
径。
3. 提出了一种单路径注入攻击。在与攻击二相同的场景下,攻击者查找网络中满
足单路径条件的路由器对,从中选出跳板路由器,并以它的身份注入一个恶意
的 LSA。该攻击只需要注入一个 LSA 就能逃避自反击机制。利用该攻击可实现
流量黑洞,从而造成部分区域的网络瘫痪。
4. 提出了一种远程邻接欺骗攻击。我们设计了一种探测远程路由器运行参数的方
法,利用该方法可与远程路由器建立虚假的邻接关系,最后以幻影路由器的身
份注入恶意的 LSA,可实现流量黑洞。该攻击与上述三种攻击相比其适用场
景更广,可在未知网络路由器拓扑及参数的情况下实施。
5. 采用 GNS3 网络仿真软件、VMware 虚拟机以及真实物理计算机搭建了一个高
仿真程度的网络模拟平台,并在此平台下验证了上述四种路由欺骗攻击的可行
性及有效性。
6. 设计并实现了一个可对 OSPF 网络进行安全性检测的渗透测试系统,利用该系
统可实现 OSPF 协议密钥认证机制的安全性评估以及 OSPF 网络渗透测试。经
测试表明,上述四种攻击可在真实环境下达到预期的攻击效果,本文设计的系
统可有效的发现 OSPF 网络的安全漏洞。
关键词:OSPF 安全;路由欺骗;链路状态通告;自反击机制
摘要
III
东南大学硕士学位论文
IV
ABSTRACT
Routing protocol is the core of network infrastructure. OSPF routing protocol is a kind of
interior gateway routing protocols, which is widely used at present. In this paper, the security
of OSPF protocol is studied, and four new attack methods are proposed based on the analysis
of OSPF protocol security mechanism and attack methods that exist. The method of these
attacks injects malicious LSAs(link state advertisements)by different ways, modifies the
routing tables of routers, finally realizes route spoofing. An OSPF penetration testing system is
developed in this paper at the same time. The system can be used for security testing of OSPF
networks. The work of this paper is as follows:
1. Adjacency spoofing attack is proposed. The attack is mainly aimed at the scenario that
the border routers of OSPF networks are not set as passive interface. The attacker is
access to OSPF networks by disguising as a legitimate router and injects malicious
LSAs. Web spoofing、password sniffing、man-in-the-middle attack、DNS spoofing,
etc are realized by the attack method.
2. Double LSA remote multi-injection attack is proposed.The attack is mainly aimed at
the scenario that the attacker obtains router topology and parameters of networks, it
injects two malicious LSAs by remote routers. Comparing with Double LSA injection
attack proposed by Nakibly et al, it can evade “fight-back” mechanism, and increase
contaminated area at the same time. The attack not only can realize web spoofing、
password sniffing, etc, but also can control the middle of the transmission path of data
traffic.
3. Single path injection attack is proposed. Under the scenario same as the second attack,
the attacker finds a pair of routers that meet the condition of single path, chooses the
springboard router, injects a malicious LSA by its identity. The attack just needs inject
a LSA to evade “fight-back” mechanism. Traffic black-hole can be realized by the
attack, causing parts of networks paralytic.
4. Remote adjacency spoofing attack is proposed. We design a method to detect running
parameters of remote routers. False adjacency relation can be established by the
method, finally malicious LSAs are injected by the identity of phantom routers to
realize traffic black-hole. Comparing with above three attacks, the attack is used in
more scenarios, it can be realized in the scenario that the attacker doesn’t obtain router
topology and parameters of networks.
ABSTRACT
V
5. The feasbilites and effectivenesses of above four route spoofing attacks are verified
on the network simulation platform constructed with GNS3 network simulation
software、VMware virtual machine and a real physical computer.
6. An OSPF penetration testing system which can implement security testing of OSPF
networks is designed and realized. It includes security assessment function of OSPF
cryptographic authentication mechanism and penetration testing function on OSPF
networks. Above four attacks can achieve desired effects in the real environment, and
the system can effectively discover security vulnerabilities of OSPF networks.
Keywords: OSPF security; route spoofing; link state advertisement; fight-back mechanism
剩余89页未读,继续阅读
断脚的鸟
- 粉丝: 19
- 资源: 301
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论0