Routopsy: Modern Routing Protocol Vulnerability Analysis and Exploitation

Conference:  BlackHat USA 2020



The presentation discusses the identification and exploitation of routing protocols in networks, with a focus on OSPF and Kubernetes CNI. The main point is that insecure or misconfigured routing protocols can lead to network enumeration and potential attacks.
  • Routing protocols like OSPF and Kubernetes CNI can be exploited if configured insecurely
  • Identifying routing protocols can provide accurate network enumeration
  • Exploiting routing protocols can lead to potential attacks on the network
The presenter gives an example of an attacker connecting to a LAN and using routing protocols to learn about active networks within an organization, allowing for more accurate targeting of attacks.


An often-overlooked area of network security are the routing and redundancy protocols used between routing endpoints. Specifically, Dynamic Routing Protocols (DRP) such as OSPF, RIP, EIGRP, and First Hop Redundancy Protocols (FHRP) such as VRRP and HSRP are poorly understood by InfoSec attackers and defenders, have limited tooling that is either aging and unmaintained or hard to understand without first having a mastery of the protocols. This talk will showcase several common misconfigurations of these protocols on networks, and how this can be used for Person-in-the-Middle attacks and network discovery. Additionally, Kubernetes Network Providers are reliant on some of these protocols and these misconfigurations could also be present. We'll be releasing new research into how these protocols and their weaknesses can be exploited leveraging a virtual router and orchestration that we've created for defenders to test their network for such vulnerabilities or pentesters to demonstrate the weaknesses.Most DRP's, such as OSPF, rely on multicasting to initiate the process of establishing neighbor adjacencies and are often configured without a proper authentication method or clear separation from the control plane. These vulnerabilities allow an attacker to introduce a rogue neighbor, allowing them to observe networks which are abstracted from computing end points, or to tamper with routing table entries. A malicious route can be used to cause DNS/SMB redirection to conduct Person-in-the-Middle attacks. DRP's are not the only protocols which could be configured insecurely. Layer three, FHRP's such as VRRP are often configured insecurely, where exploitation allows person-in-the-middle attacks similar to ARP spoofing.These attacks typically required either a virtual firewall bridged onto a target network, or use of a dated open source tool such as Loki or Yersinia. A modern alternative to solve these problems will be released during this talk.