Cisco HSRP Weakness/DoS

[bashis <bash () NS WCD SE>]

Hi

I was playing with Cisco's HSRP (Hot Standby Routing Protocol),
and there is a (major) weakness in that protocol that allow
any host in a LAN segment to make a HSRP DoS.

Short (very) explain of HSRP.
HSRP uses UDP on port 1985 to multicast address 224.0.0.2,
and the authentication is in clear text. (default: cisco)

I include a small program that sends out a fake HSRP packet,
when it hear a legal HSRP packet, as a "proof of concept" code...

Vendor was notified about this 14 April 2001,,
and their response was to use HSRP with IPSec.
http://www.cisco.com/networkers/nw00/pres/2402.pdf

[cut from src]
/*
 * Description:
 * This code listen for any HSRP packet, when it hear one HSRP packet,
 * it capture this, modifies some of HSRP protocol parameters, and send out
 * a fake HSRP packet that tells other routers that I am the active router,
 * I have highest priority and you should be 'Standby' or silent..
 *
 * If the other active, and legal router has highest possible
 * priority (255), then they will fight.. ;-) , AND it seems
 * in my tests that the legal router who 'wishes' be active router,
 * IS allready active, so no DoS will occure. (only UDP flood from both)
 */

--
\0x62\0x61\0x73\0x68\0x69\0x73

Attachment: hsrp-dos.tgz
Description: gzip compressed data, deflated, last modified: Thu May 3 20:02:56 2001, os: Unix