Attacks on the IS-IS protocol.
False routes.
IS-IS uses one mandatory, default metric with a maximum path value of 1024. This indicator is arbitrary and is usually assigned by the network administrator. Any single channel can have a maximum value of 64. The length of the paths is calculated by summing the channel values. The maximum channel values are set at these levels to provide a level of detail to support different types of channels, while ensuring that the shortest path algorithm used to calculate the route is sufficiently efficient.
IS-IS also defines three additional indicators (costs) as options for those administrators who feel the need for them. The delay costs reflect the amount of delay in the channel. The cost of expenses reflects the communication costs associated with using this channel. Error costs reflect the error rate of a given channel.
IS-IS ensures that these four indicators match the quality-of-service – QOS option in the CLNP package header. Using this correspondence, IS-IS can calculate routes through the combined network.
The essence of false IS-IS route attacks is to create a fake node with minimal channel costs. According to the algorithm for calculating the optimal IS-IS route, all traffic begins to flow through this router, as a result of which an attacker can collect confidential information.
A variant of this attack is to disable a legitimate IS-IS router through denial-of-service attacks and replace it with a fake device.
In order to implement these spacecraft, an attacker needs to create IS-IS packets of the appropriate format.
IS-IS uses three basic packet formats:
IS-IS hello packets – IS-IS welcome packets;
Link state packets (LSPs) - channel status packets;
Sequence numbers packets (SNPs) - packets of sequence numbers.
Each of these three IS-IS packets has a complex format with three different logical parts. The first part is an 8-byte fixed header common to all three packet types. The second part is a part specific to this type of package with a fixed format. The third logical part is also specific to the packet type, but has a variable length.
Common header Packet-type-specific, fixed header Packet-type-specific, variable-length header
The first field in the general IS-IS header is the protocol identifier, which identifies the IS-IS protocol. This field contains a constant (131). The
next field of the general header is the header length field. This field contains a fixed header length. This length is always 8 bytes, but it is included in such a way that IS-IS packets differ slightly from CLNP packets.
The length field is followed by the version field, which is equal to one in the current IS-IS specification.
The version field is followed by the ID length field, which determines the size of the NSAP part of the ID (identifier) if its value is between 1 and 8 (inclusive). If the field contains a zero, then the ID part is 6 bytes. If the field contains 255 (one units), then the ID part is 0 bytes.
The next field is the packet type field, which defines the IS-IS packet type (hello, LSP, or SNP).
The package type field is followed by the version field again.
The second version field is followed by the reserved field, which is zero and ignored by the recipient.
The last field of the general header is the maximum address field of the area. This field defines the number of addresses allowed for this area.
The general header is followed by an additional fixed part, different for each type of package, followed by a variable part.
One of the ways to implement this attack is to use a designer of "raw" IP packets.
"Flooding" with HELLO packets.
The IS-IS protocol uses HELLO packets to transmit information about routes. Accordingly, one of the forms of implementation of attacks on IS-IS is the flooding of these packets.
The essence of the attack boils down to transmitting a large number of HELLO packets to other routers, as a result of which the route tables on these devices may overflow and temporarily fail.
To implement this type of attack, an attacker can also use the package constructor provided above.
Oleg Petukhov, lawyer in the field of international law and personal data protection, information security specialist security, protection of information and personal data.
Telegram channel: https://t.me/protectioninformation
Telegram Group: https://t.me/informationprotection1
Website: https://legascom.ru
Email: online@legascom.ru
#informationprotection #informationsecurity
