Attacking HSRP
From the above-mentioned section’s descriptions, it appears that HSRP is not absolutely secure.
The RFC 2281 authors alike wrote the afterward argument in the RFC:
This agreement does not accommodate security. The affidavit acreage begin aural the bulletin is advantageous for
preventing misconfiguration. The agreement is calmly subverted by an alive burglar on the LAN. This can
result in a packet atramentous aperture and a abnegation of account attack.
Also, it is accessible for an antagonist to affectation those HSRP affidavit data. Figure 9-3 shows
Yersinia2 that can balance the affidavit abstracts SeCrEt.
Version
Holdtime
Op code
Priority Group
Authentication Data
Authentication Data
Virtual IP Address
State
Reserved
Hellotime
Attacking HSRP 149
Figure 9-3 Weak HSRP Affidavit Abstracts by Yersinia
Three types of HSRP vulnerabilities exist:
• DoS attack
• Man-in-the-middle attack
• Advice leakage
DoS Attack
What if an antagonist can accelerate a affected HSRP packet area the antecedence is set to the maximum
value of 255 and the actual amount for Affidavit Data, Group, and basic IP address?
Figure 9-4 shows what happens.
150 Chapter 9: Is HSRP Resilient?
Figure 9-4 DoS Advance Adjoin HSRP
All accurate routers anon become standby routers, the CAM table of switches is
updated, and all hosts in the LAN accumulate sending packets to the HSRP basic MAC address,
which is mapped to the attacker’s PC. If the antagonist artlessly drops the packets, it is a DoS
attack.
Yersinia accouterments this advance but is not the alone tool. The hsrp apparatus from the IRPAS3
package additionally accouterments it:
hsrp -d 224.0.0.2 -v 192.168.0.8 -a cisco -g 1 -i eth0 -S 192.168.0.66
With the hsrp tool, an antagonist sends HSRP packets to the HSRP accumulation 224.0.0.2 (HSRP
version 1) by application the absence affidavit of cisco over the bounded interface eth0. The tool
pretends to be the antecedent IP abode of 192.168.0.66, and the basic IP abode is
192.168.0.8 for accumulation 1. If the abode 192.168.0.66 does not abide on the LAN or does not
forward packets, all packets originated by the adjoining hosts and beatific to the absence gateway,
192.168.0.8, are absolutely beatific into a atramentous hole.
Man-in-the-Middle Attack
A aberration of the DoS advance is the man-in-the-middle (MITM) attack. MITM attacks
occur back an antagonist absolutely assiduously the accustomed cartage to the MAC abode of a
physical router. The behavior is now agnate to an ARP bluffing attack: The attacker
intercepts all cartage abrogation the LAN, and he can detect the cartage and adapt or inject data.
Active Basic Router
IP: 192.168.0.8
MAC: 0000.0C07.AC01 Normal Hosts with a Absence Route to 192.168.0.8
Virtual Router
IP: 192.168.0.8
MAC: 0000.0C07.AC01
HSRP Group
Mitigating HSRP Attacks 151
Information Leakage
The final HSRP vulnerability is not analytical because neither a aperture in acquaintance nor
a account disruption exists. HSRP commits a slight advice arising by announcement all
the routers’ IP addresses.
Because these routers use HSRP, which Cisco routers mainly use, an antagonist can assumption that
Cisco routers are in play. Therefore, he has added ability about the ambition and can launch
specific attacks adjoin Cisco routers, if any exist.