TUCoPS :: Cisco :: cisc5891.htm

Cisco IOS EIGRP Network DoS
20th Dec 2002 [SBWID-5891]
COMMAND

	Cisco IOS EIGRP Network DoS

SYSTEMS AFFECTED

	Tested on:	IOS 11.3
			IOS 12.0(19)
			IOS 12.2

PROBLEM

	FX [fx@phenoelit.de] of Phenoelit [http://www.phenoelit.de] found :
	
	Cisco Systems IOS is vulnerable  to  a  denial-of-service  attack  using
	Cisco's  proprietary  routing  protocol  Enhanced  IGRP  (EIGRP).   When
	flooding a Cisco router with spoofed EIGRP neighbor  announcements,  the
	router will cause an Address  Resultion  Protocol  (ARP)  storm  on  the
	network segment while trying to find the MAC  addresses  for  the  newly
	discovered neighbors, effectively using all available bandwidth.
		
	[ Description ]
	
	EIGRP uses automatic discovery of neighboring routers. An  EIGRP  router
	announces it's existence via multicast on  the  enabled  interfaces.  If
	two routers discover each other, they try to exchange information  about
	the current topology in unicast. On Ethernet, both sides need to  obtain
	the MAC address of the other router.
	
	When generating EIGRP  neighbor  announcements  with  random  source  IP
	addresses and flooding a Cisco router (unicast, only possible  in  11.x)
	or an entire network (multicast), all receiving Cisco routers  will  try
	to contact the sender(s). The source IP addresses  have  to  be  in  the
	subnet(s) enabled via the "network"  statement  in  the  config  of  the
	victim router.
	
	A bug in Cisco IOS causes the router to continiously try to  obtain  the
	MAC address of the sender. This process does not  time  out  unless  the
	EIGRP neighbor holdtimer expires. This value is supplied by  the  sender
	of the neighbor announcement and has a maximum of over 18 hours.
	
	Multiple neighbor announcements with not existing  source  IP  addresses
	will cause the router to use all available CPU power  and  bandwidth  on
	the segment for ARP request - creating a segment-wide denial of  service
	condition.
		
	The possible use of IP multicast poses a high risk for larger  corporate
	networks using EIGRP. Cisco IOS versions below 12.0  also  accept  EIGRP
	neighbor announcements  as  unicast  packets,  which  makes  the  attack
	possible via the Internet.

SOLUTION

	Damir Rajnovic [gaus@cisco.com] says :
	
	We can confirm the statement made by FX from Phenoelit  in  his  message
	"Cisco  IOS  EIGRP  Network  DoS"  posted  on  2002-Dec-19.  The   EIGRP
	implementation in all versions of IOS  is  vulnerable  to  a  denial  of
	service if it receives a flood of neighbor  announcements.  EIGRP  is  a
	Ciscos' extension of IGP routing  protocol  used  to  propagate  routing
	information in internal network environments.
	
	The workaround for this issue is to apply MD5 authentication  that  will
	permit the receipt of EIGRP packets only from authorized hosts. You  can
	find an example of how to configure MD5 authentication for EIGRP at  the
	following URL (possibly wrapped):
	
	 http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_c/1cprt1/1ceigrp.htm#xtocid18
	
	If you are using EIGRP in the unicast mode then you  can  mitigate  this
	issue by placing appropriate ACL which  will  block  all  EIGRP  packets
	from illegitimate hosts. In the following  example  the  EIGRP  neighbor
	has IP address of 10.0.0.2 and the local router has address 10.0.0.1.
	
	Router#config t
	Router(config)#access-list 111 permit eigrp host 10.0.0.2 host 10.0.0.1
	Router(config)#access-list 111 deny eigrp any host 10.0.0.1
	
	The previous example will permit all EIGRP packet throughout the  router
	and into the rest of the network. If you want to block these packets  as
	well then use the following commands instead of the previous example:
	
	Router#config t
	Router(config)#access-list 111 permit eigrp host 10.0.0.2 host 10.0.0.1
	Router(config)#access-list 111 deny eigrp any any
	
	An ACL will not be effective if you  are  using  the  default  multicast
	mode of EIGRP neighbor discovery. However, multicast packets should  not
	be propagated through the Internet so an attacker must be  on  the  same
	local network segment as the target router  in  order  to  exploit  this
	issue with multicast advertisements.
	
	The issue with EIGRP neighbor command FX is  referring  to  is  assigned
	Cisco Bug ID CSCdv19648 and is visible to all registered  users  through
	Cisco's Bug Toolkit at
	
	 http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl.
	
	At the time of writing this notice Cisco PSIRT does not have  a  current
	estimate on when the fix will be available.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH