Mitigating HSRP Attacks
Are HSRP’s vulnerabilities critical? After all, added Layer 2 attacks can beforehand to the same
results: ARP spoofing, DHCP spoofing, and so on. However, as the added attacks can be
mitigated (as apparent in Chapter 5, “Leveraging DHCP Weaknesses,” and Chapter 6,
“Exploiting IPv4 ARP”), HSRP is the abandoned accident acknowledgment whose risks charge to be mitigated.
The acceptable account is that the DoS, MITM, and advice arising attacks assignment abandoned in the
local Ethernet segment. Indeed, the 224.0.0.2 and 224.0.0.102 multicast addresses are for
multicasting abandoned on the bounded link; packets beatific to those addresses are never forwarded on.
Nevertheless, the attacks can be calmly launched locally. The means to abate these attacks
rely on preventing an antagonist from accomplishing the following:
• Forging authentic affidavit data. If the antagonist is clumsy to present the correct
credentials, all added routers adios his packets.
• Sending HSRP packets. The arrangement basement blocks all HSRP packets except
those beatific by accustomed HSRP routers.
NOTE There is no accessible way to anticipate advice arising from HSRP, but this is not critical.
Using Able Authentication
The easiest way to partly abate an HSRP beforehand is to use able authentication. Cisco
routers and switches active 12.3(2)T and aloft can use a bulletin abstract algorithm 5
(MD5) Hash Bulletin Affidavit Code (HMAC) to accredit all HSRP packets
without anytime sending the key in the clear. Example 9-1 shows the syntax back you use a
chain of preshared keys: Each key has a accelerate lifetime (when this key sends HSRP
messages) and an acquire lifetime (when this key checks the authority of accustomed HSRP
messages).
152 Chapter 9: Is HSRP Resilient?
Why Key Chain?
If a hacker compromises a router, he can balance the accustomed preshared key acclimated for HSRP
and always use this key. Therefore, it is a acceptable aegis convenance to change the preshared
key every year. This banned the time amount back the hacker can use the baseborn key. This key
change is alleged a key rollover.
The rollover requires acceptable synchronization amid all accommodating routers so that they all
start to use the new preshared key at the aforementioned moment. This synchronization can be difficult
to accomplish back Arrangement Time Protocol (NTP) is unavailable. Key alternation is an interesting
alternative: It does not crave authentic timing, and the agreement change can be
prepared canicule in advance.
The key alternation allows for flexibility. If the acquire lifetime ambit is beyond than the send
lifetime range, such as in Example 9-1, the key 2 is acclimated back January 1, 2007, to accelerate the
authenticated HSRP bulletin and all added routers will acquire the HSRP bulletin since
December 31, 2006. So, alike if the clocks amid routers are not synchronized (like 1 or
2 hours of difference), the key 2 is accustomed by all added routers in the HSRP group.
With this agreement in place, an antagonist has no way to ascertain the preshared key that’s
currently in use. Therefore, an antagonist cannot accelerate artificial HSRP letters that the real
HSRP routers acquire and process.
NOTE Rather than application the agreement in Example 9-1, area a key alternation is used, use a
simpler adjustment by anon allegorical the preshared key. But, if you anytime accept to cycle the
keys, this artlessness complicates your life.
Example 9-1 Application MD5 Key Alternation to Accredit HSRP Messages
key alternation MYCHAIN
key 1
key-string TheOldKey
accept-lifetime bounded 12:00:00 Dec 31 2005 12:00:00 Jan 1 2007
send-lifetime bounded 00:00:00 Jan 1 2006 23:59:59 Dec 31 2006
key 2
key-string TheNewKey
accept-lifetime bounded 12:00:00 Dec 31 2006 12:00:00 Jan 1 2008
send-lifetime bounded 00:00:00 Jan 1 2007 23:59:59 Dec 31 2007
interface FastEthernet0/0
ip abode 192.168.0.3 255.255.255.0
standby 2 ip 192.168.0.254
standby 2 affidavit md5 key-chain MYCHAIN
Mitigating HSRP Attacks 153
As apparent in the third band at the top of Figure 9-5, back MD5 HMAC is acclimated (in this case,
messages beatific by 192.168.0.3), Yersinia can no best admission Affidavit Abstracts and is
unable to barrage any attack. The aforementioned applies for the hsrp apparatus from the IRPAS package.
Figure 9-5 Yersinia Cannot Decode Affidavit Abstracts with MD5 HMAC
The advice in Figure 9-5’s average rectangle is the hexadecimal dump of the second
HSRP packet. The key was additionally SeCrEt (as for letters from 192.168.0.7 and
192.168.0.9) but it appears boilerplate in the displayed packet because Yersinia was clumsy to
recover it.
Is this MD5 HMAC abandoned abundant to defended HSRP? Actually, no, because it does not stop
a epitomize attack. Here is how to arise a epitomize attack: If an antagonist can detect a archetype of an
HSRP packet with aerial priority, he can epitomize this packet by resending it unchanged
(including the basic antecedent MAC address), and the antagonist anon becomes the
active router. Therefore, the anchorage aegis affection declared in Chapter 2, “Defeating a
Learning Bridge’s Forwarding Process,” charge additionally accomplish the MD5 HMAC secure.
Relying on Arrangement Infrastructure
If the able affidavit acknowledgment abode cannot be acclimated or back it is accounted not
secure enough, the actual abode is to anticipate hosts from sending HSRP packets.
154 Chapter 9: Is HSRP Resilient?
This can be implemented with an entering admission ascendancy account (ACL) on all routers and
switches. Alike if it looks beneath avant-garde compared to the cryptographic technique, it is
actually added defended because an antagonist cannot bypass it. An operational amount exists for this
technique because the ACL is affiliated to IP addresses. So, if one host changes its IP address,
the ACL charge be changed. The ACL relies on IP addresses, so an antispoofing mechanism,
such as IP antecedent guard, charge be used.
ACL Abandoned Is Not Abundant for End Stations
An ARP bluffing attack—as declared in Chapter 6 and Chapter 7, “Exploiting IPv6
Neighbor Discovery and Router Advertisement”—can be army so that end stations are
fooled into assertive that the MAC abode of the absence aperture is no added the virtual
MAC abode but an attacker’s MAC address. To anticipate HSRP attacks, Dynamic ARP
Inspection (DAI) charge be deployed in aggregate with any added technique.
The ACL depends on the exact arrangement topology, so the afterward examples are just
examples that you charge adapt based on your exact configuration. Example 9-2 uses
CatOS to ascertain such an ACL, allowing HSRP packets from the authentic router but not from
attached hosts. This VLAN ACL is again activated to VLAN 30.
Example 9-3 uses IOS to accomplish the aforementioned result.
Example 9-2 Application CatOS ACL to Anticipate HSRP Spoofing
set aegis acl ip HSRP_VACL admittance udp host 192.168.0.7 host 224.0.0.2 eq 1985
set aegis acl ip HSRP_VACL admittance udp host 192.168.0.9 host 224.0.0.2 eq 1985
set aegis acl ip HSRP_VACL abjure udp any host 224.0.0.2 eq 1985
set aegis acl ip HSRP_VACL admittance ip any any
commit aegis acl all
set aegis acl map HSRP_VACL 30
Example 9-3 Application IOS ACL to Anticipate HSRP Spoofing
interface FastEthernet0/0
ip access-group 101 in
access-list 101 admittance udp host 192.168.0.7 host 224.0.0.2 eq 1985
access-list 101 admittance udp host 192.168.0.9 host 224.0.0.2 eq 1985
access-list 101 abjure udp any any eq 1985
access-list 101 admittance ip any any
References 155
Summary
HSRP has a above vulnerability—the abridgement of able affidavit and antireplay in the
RFC 2281. This opens the aperture to DoS attacks and to MITM attacks. The closing can be used
for attacks adjoin candor and confidentiality.
You can abate these attacks in two ways:
• Use MD5 HMAC to accredit all HSRP messages. This is accessible to deploy, but it
does not assure adjoin epitomize attacks.
• Use an ACL to forbid absorbed hosts from sending HSRP messages. This charge be
complemented with a austere antispoofing mechanism. The ACL abode is preferred.
References
1T. Li, et al. RFC 2281, IETF, “Cisco Hot Standby Router Protocol (HSRP).” March 1998.
2Yersinia. http://www.yersinia.net/.
3 IRPAS. http://www.phenoelit.de/irpas/docu.html.