【打印本页】      【下载PDF全文】   View/Add Comment  Download reader   Close
←前一篇|后一篇→ 过刊浏览    高级检索
本文已被:浏览 8775次   下载 6359 本文二维码信息
码上扫一扫!
OSPF路由协议脆弱性研究及分析
朱绪全,包婉宁,张进,江逸茗,马海龙
分享到: 微信 更多
(网络通信与安全紫金山实验室 南京 中国 210000;国家数字交换系统工程技术研究中心 郑州 中国 450002)
摘要:
互联网的高速发展带来了网络规模的持续增长以及拓扑结构的愈加复杂,同时给网络安全提出了巨大的挑战,OSPF (Open Shortest Path First)已经成为网络部署中使用最为广泛的路由协议,OSPF等路由协议的安全是网络安全的重要组成部分,没有正确的路由信息,也就没有了网络的安全与稳定。本文论述了OSPF路由协议内在的交互机制,挖掘了自身机制存在的漏洞,深入研究了基于OSPF协议脆弱性的攻击技术,通过分析协议的设计缺陷,突破协议自带的保护机制,扰乱正常协议交互达到攻击目的。本文详细描述了几种典型的攻击原理,在仿真软件中搭建网络环境证实了漏洞的存在。本文对OSPF安全隐患与常见漏洞做了详细的量化评估与分析,基于OSPF漏洞特点对CVSS3.0评分系统进行扩展,创新地增加攻击范围的修正系数,提高了OSPF协议漏洞评价的合理性,量化评估结果能为漏洞防御的研究工作提供指导,对其他路由协议的脆弱性研究分析有积极的示范作用。最后针对本文描述的漏洞提出了相应的安全防范措施,提出一个路由威胁监测预防系统用于路由协议攻击的监测和预防。总之,保护OSPF等路由协议的安全需要建立一个整体的安全观,从多个层面来保障网络安全。
关键词:  OSPF协议  路由  脆弱性  评估  攻击  防范
DOI:10.19363/J.cnki.cn10-1380/tn.2023.03.04
Received:November 08, 2021Revised:January 06, 2022
基金项目:
Research and Analysis on the Vulnerability of OSPF Routing Protocol
ZHU Xuquan,BAO Wanning,ZHANG Jin,JIANG Yiming,MA Hailong
Purple Mountain Laboratories, Nanjing 210000, China;National Digital Switching System Engineering and Technological Research Center, Zhengzhou 450002, China
Abstract:
The rapid development of the Internet has brought about the continuous growth of the network scale and the increasingly complexity of the topology, and at the same time it has presented huge challenges to network security. OSPF (Open Shortest Path First) has become the most widely used routing protocol in network deployment, The security of OSPF and other routing protocols is increasingly becoming an important part of network security, there will be no network security and stability without the correct routing information. This paper discusses the internal interaction mechanism of OSPF, and digs out the loopholes in the OSPF routing protocol itself, deeply studies the attack technology based on the vulnerability of the OSPF protocol, analyzes the design flaws of the protocol, breaks through the protocol’ s built-in protection mechanism, and disrupts the normal protocol interaction to achieve the purpose of attack. This paper describes in detail several typical attack principles, and the establishment of a network environment in the simulation software that confirms the existence of vulnerabilities. In this paper, several typical attack principles are described in detail, and the existence of vulnerabilities is verified by constructing network environment in simulation software. Based on the characteristics of OSPF vulnerabilities, the CVSS3.0 scoring system is expanded, and the correction coefficient of the attack range is innovatively increased, which improves the rationality and quantification of OSPF protocol vulnerability evaluation. The evaluation results can provide guidance for the research work of vulnerability defense, and have a positive demonstration effect on the vulnerability research and analysis of other routing protocols. Finally, some corresponding security measures are proposed for the vulnerabilities described in this paper, and a routing threat monitoring and prevention system is proposed to monitor and prevent routing protocol attacks. In a word, to protect the security of routing protocols such as OSPF, an overall security concept should be established to ensure network security at multiple levels.
Key words:  OSPF  route  vulnerability  evaluation  attack  prevention