Flooding CDP packets to a router
The Cisco Discovery Protocol (CDP) is a proprietary Data Link Layer protocol developed by Cisco Systems. It is used to share information about other directly connected Cisco equipment, such as the operating system version and IP address. CDP can also be used for On-Demand Routing, which is a method of including routing information in CDP announcements so that dynamic routing protocols do not need to be used in simple networks.
I will use a simple router vs linux scenario to perform a simple attack on a router with flooding the interfaces with CDP advertisements. A simple GNS3 lab is used to perform this attack.
A simple IP dhcp pool is configured on the Router R1 and the virtualized BackTrack 5 is used to perform and attack on the router. By default Cisco Discovery protocol is turned on every interface. Let us verify that we do not have any CDP neighbors and that there are no packets traversing trough the interface.
As we assumed no traffic is passing trough the router. To simulate an attack I will use the Yersinia tool.
Yersinia is a network tool designed to take advantage of some weakeness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems. I will use the GUI under the BT 5 menu.
The next important thing, after starting the tool is to choose the type of the attack.
And the packets are starting to send via the eth0 interface. These fabricated packets are used to simulate CDP v2 adtertisements to the Router. We can verify that we are sending a large amount of packets in a small amount of time.
The final result can be seen on the Router R1. I have stopped the attack after couple of second. This prevented the denial on the routers memory resources so we can see the verify output.
We can see that we have 12000 CDP packets received on the Router in just a few seconds. To see what resulted in the CDP table is shown in the next graphic.
Router R1 has filled up the CDP table with bogus Device IDs and the list just goes on. This could very easilly in a manner of minutes flood the CDP table and took all of the router resources.
The demonstration has taught us a one important thing. That is to disable the CDP advertisements on the Customer facing edge/WAN links. This way we are preventing the router to receive and send CDP advertisements.
That is all for now.
Fell free to comment!
No comments:
Post a Comment