Warranty Void If Label Removed: Attacking MPLS Networks

By Georgi Geshev on 10 December, 2015

Georgi Geshev presented “Warranty Void If Label Removed: Attacking MPLS Networks” at multiple security conferences including ekoparty in Argentina, PacSec in Japan, and ZeroNights in Russia.

General MPLS and MPLS related concepts were briefly introduced to the audience, followed by an overview of a typical service provider network, classic topologies and basic traffic engineering strategies.

Several network reconnaissance techniques were presented that could allow an adversary to partially or, in some cases, fully reveal the MPLS backbone Label Switching Router (LSR) interconnections by leaking internal LSR IP addresses. Furthermore, certain vendor implementations were found to allow traffic to be sent directly to LSR IP addresses, which if the vendors followed the specification would be mitigated against.

A potential attack scenario against service provider infrastructure was demonstrated with a walk-through of an attack against customers of a shared MPLS environment. In addition, the concept of Virtual Routing and Forwarding (VRF) was explained, with further discussion on VRF hopping attacks. Several vendors were found to be susceptible to these kind of attacks that allow for performing what can be described as VLAN hopping in the context of MPLS. In summary, successfully executing a VRF hopping attack allows for breaking out of our own VRF and injecting traffic into another customer’s VRF.

Download Slides