OSPF路由协议脆弱性研究及分析

朱绪全; 包婉宁; 张进; 江逸茗; 马海龙

引用本文：

朱绪全,包婉宁,张进,江逸茗,马海龙.OSPF路由协议脆弱性研究及分析[J].信息安全学报,2023,8(2):42-53 [点击复制]
ZHU Xuquan,BAO Wanning,ZHANG Jin,JIANG Yiming,MA Hailong.Research and Analysis on the Vulnerability of OSPF Routing Protocol[J].Journal of Cyber Security,2023,8(2):42-53 [点击复制]

本文已被：浏览 6006次下载 3847次	码上扫一扫！
OSPF路由协议脆弱性研究及分析
朱绪全¹, 包婉宁¹, 张进¹, 江逸茗², 马海龙²
0 字体:加大+\|默认\|缩小-
(1.网络通信与安全紫金山实验室南京中国 210000;2.国家数字交换系统工程技术研究中心郑州中国 450002)

摘要:

互联网的高速发展带来了网络规模的持续增长以及拓扑结构的愈加复杂,同时给网络安全提出了巨大的挑战,OSPF (Open Shortest Path First)已经成为网络部署中使用最为广泛的路由协议,OSPF等路由协议的安全是网络安全的重要组成部分,没有正确的路由信息,也就没有了网络的安全与稳定。本文论述了OSPF路由协议内在的交互机制,挖掘了自身机制存在的漏洞,深入研究了基于OSPF协议脆弱性的攻击技术,通过分析协议的设计缺陷,突破协议自带的保护机制,扰乱正常协议交互达到攻击目的。本文详细描述了几种典型的攻击原理,在仿真软件中搭建网络环境证实了漏洞的存在。本文对OSPF安全隐患与常见漏洞做了详细的量化评估与分析,基于OSPF漏洞特点对CVSS3.0评分系统进行扩展,创新地增加攻击范围的修正系数,提高了OSPF协议漏洞评价的合理性,量化评估结果能为漏洞防御的研究工作提供指导,对其他路由协议的脆弱性研究分析有积极的示范作用。最后针对本文描述的漏洞提出了相应的安全防范措施,提出一个路由威胁监测预防系统用于路由协议攻击的监测和预防。总之,保护OSPF等路由协议的安全需要建立一个整体的安全观,从多个层面来保障网络安全。

关键词: OSPF协议路由脆弱性评估攻击防范

DOI：10.19363/J.cnki.cn10-1380/tn.2023.03.04

投稿时间：2021-11-08修订日期：2022-01-06

基金项目:

Research and Analysis on the Vulnerability of OSPF Routing Protocol

ZHU Xuquan¹, BAO Wanning¹, ZHANG Jin¹, JIANG Yiming², MA Hailong²

(1.Purple Mountain Laboratories, Nanjing 210000, China;2.National Digital Switching System Engineering and Technological Research Center, Zhengzhou 450002, China)

Abstract:

The rapid development of the Internet has brought about the continuous growth of the network scale and the increasingly complexity of the topology, and at the same time it has presented huge challenges to network security. OSPF (Open Shortest Path First) has become the most widely used routing protocol in network deployment, The security of OSPF and other routing protocols is increasingly becoming an important part of network security, there will be no network security and stability without the correct routing information. This paper discusses the internal interaction mechanism of OSPF, and digs out the loopholes in the OSPF routing protocol itself, deeply studies the attack technology based on the vulnerability of the OSPF protocol, analyzes the design flaws of the protocol, breaks through the protocol’ s built-in protection mechanism, and disrupts the normal protocol interaction to achieve the purpose of attack. This paper describes in detail several typical attack principles, and the establishment of a network environment in the simulation software that confirms the existence of vulnerabilities. In this paper, several typical attack principles are described in detail, and the existence of vulnerabilities is verified by constructing network environment in simulation software. Based on the characteristics of OSPF vulnerabilities, the CVSS3.0 scoring system is expanded, and the correction coefficient of the attack range is innovatively increased, which improves the rationality and quantification of OSPF protocol vulnerability evaluation. The evaluation results can provide guidance for the research work of vulnerability defense, and have a positive demonstration effect on the vulnerability research and analysis of other routing protocols. Finally, some corresponding security measures are proposed for the vulnerabilities described in this paper, and a routing threat monitoring and prevention system is proposed to monitor and prevent routing protocol attacks. In a word, to protect the security of routing protocols such as OSPF, an overall security concept should be established to ensure network security at multiple levels.

Key words: OSPF route vulnerability evaluation attack prevention