mailing list archives
Re: Cisco HSRP Weakness/DoS
From: "Steven M. Bellovin" <smb () RESEARCH ATT COM>
Date: Thu, 3 May 2001 22:53:01 -0400
In message <200105031757.TAA05508 () ns wcd se>, bashis writes:
Content-Type: text/plain; charset=us-ascii
I was playing with Cisco's HSRP (Hot Standby Routing Protocol),
and there is a (major) weakness in that protocol that allow
any host in a LAN segment to make a HSRP DoS.
Short (very) explain of HSRP.
HSRP uses UDP on port 1985 to multicast address 220.127.116.11,
and the authentication is in clear text. (default: cisco)
I include a small program that sends out a fake HSRP packet,
when it hear a legal HSRP packet, as a "proof of concept" code...
Vendor was notified about this 14 April 2001,,
and their response was to use HSRP with IPSec.
Their response was precisely correct. Given the evils that can be done
with ARP-spoofing, this sort of misbehavior by someone already on the
LAN can't easily be prevented.
More generally, have a look at RFC 2338, on VRRP -- the Virtual Router
Redundancy Protocol. VRRP is the standards-track replacement for HSRP.
The Security Considerations section explains when to use each type of
authentication, up to and including IPsec.
Cisco's real mistake is in having a common default authentication word
-- not because it's a security failure, but because it can no longer
fulfill its function of guarding against configuration errors.
--Steve Bellovin, http://www.research.att.com/~smb