Date created: Monday, February 15, 2016 10:23:36 PM. Last modified: Wednesday, December 13, 2017 1:08:52 PM

MPLS VPN Security 100 - Overview

RFC4447 - Pseudowire Setup and Maintenance Using the Label Distribution Protocol (LDP)
RFC4448 - Encapsulation Methods for Transport of Ethernet over MPLS Networks
RFC4761 - Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling
RFC4762 - Virtual Private LAN Service (VPLS) Using Label Distribution Protocol (LDP) Signaling

On these pages are the outcomes and findings of tests made against typical service provide topologies where MPLS is being used as a transport and segregation technology between customers and sites.

The tests focus on attacking a link between two LSRs within the SP network or the link between CPE and PE where the SP is running MPLS to the CPE, to makes the true physical attack source hard to identify (such as spoofing the source MAC of an LSR).

Many MPLS injection attacks only allow for one way communication unless a control-plan level attack is being made to establish an LDP, RSVP or MP-BGP session with an LER/LSR, which would allow for the exchange forwarding information between the attacker and LER/LSR. Despite only one way communication being available from the attacker into the MPLS LSP (either to a specific end user/host that resides within a specific MPLS VPN or against the LSP itself) there are many kinds of one way attack that don't require return communication from the victim back to the attacker.

Some examples of attacks that only need one way communication are listed below. These are attacks that can be run on any local layer 2 broadcast domain or where there is end-to-end IP reachability between two hosts, they are not new attacks or specific to connectivity services that use MPLS for transport, they simply only require one-way communication:

L2 VPNs (such as ELAN/ELINE)

Broadcast Floor - Simply flooding traffic to a broadcast or multicast destination could create a DoS for multiple distributed sites connected via the same WAN
MAC/TCAM - Flood out layer 2 addresses and exhaust MAC tables, especially in the SP control-plane
STP - Send a BPDU and trigger a topology change and/or fake a loop
VTP - Flatten a VLAN database

L3 VPNs (such as IPv4/IPv6 VPNs)

0day - A bit vague but there are plenty of 1-packet exploits that trigger a buffer overflow, device reload, service crash etc
DoS - A rudimentary traffic flood to stop others from accessing a device or service that is inside an MPLS VPN users usually have to pass through an IDS/IPS to connect to
DDoS - A DNS server inside a protected VPN can be used in a classic DNS amplification attack
SNMP - Trigger a device to restart, shutdown, download your custom "backdoor'ed" configuration and load it from a host under your control.
SNMP Traps - Send/trigger traps to the NOC and cause misdirection whilst another attack takes place

MPLS VPN Security 101 - L3 VPN - Here tests are made to inject traffic into an MPLS L3 VPN (a full mesh of MP-iBGP sessions) by injecting the traffic on a link between the CPE and PE where the SP is running MPLS  to the CPE. The traffic source is spoofed so that it will appear as if the malicious traffic is coming from a CPE attached to PE1, although the interface utilisation stats wouldn't back that theory up which would be puzzling. The practicality of inject packets between two devices connected using fibre is low, it is not impossible though just very difficult (for example, the change in light levels would be quite obvious). For a copper connection it is a trivial exploitation that can be achieved with a hub.

MPLS VPN Security 102 - L2 VPN - Here tests are made to inject traffic into an MPLS L2 VPN, again injecting the traffic on the link between two routers, this time a link between to LSRs. The topology is a triangle topology using VPLS (BGP signalled auto-discovery) to provide MP2MP connectivity. With an attacker connected to an end site some of the possible attacks that relate to the network infrastructure itself are obvious like flooding the links with traffic, or flooding the MAC tables on the PEs/LERs, so these tests are made from the link between LSRs so evade some of the ingress filtering such as broadcast storm control for example.