一、基础网络配置
1. 路由器R1配置
interface GigabitEthernet0/0/0
ip address 192.1.2.254 255.255.255.0
!
interface GigabitEthernet0/0/1
ip address 192.1.3.254 255.255.255.0
!
router rip 1
version 2
network 192.1.2.0
network 192.1.3.02. 路由器R2配置
interface GigabitEthernet0/0/0
ip address 192.1.3.253 255.255.255.0
!
interface GigabitEthernet0/0/1
ip address 192.1.4.254 255.255.255.0
!
router rip 1
version 2
network 192.1.3.0
network 192.1.4.03. 路由器R3配置
interface GigabitEthernet0/0/0
ip address 192.1.4.253 255.255.255.0
!
interface GigabitEthernet0/0/1
ip address 192.1.5.254 255.255.255.0
!
router rip 1
version 2
network 192.1.4.0
network 192.1.5.0验证通信
PC> ping 192.1.5.2 # 应获得100%成功率二、路由欺骗攻击实施
入侵路由器配置
interface GigabitEthernet0/0/0
ip address 192.1.3.252 255.255.255.0
!
router rip 1
version 2
network 192.1.3.0攻击特征
-
发送伪造路由更新:
192.1.5.0/24metric=1 -
通过Wireshark抓包可见恶意RIP响应:
Source: 192.1.3.252 Destination: 224.0.0.9 RIP Response: - 192.1.5.0/24 Metric=1
路由表污染验证
R1# show ip route
RIP 192.1.5.0/24 [120/1] via 192.1.3.252 # 正确路由应显示metric=2三、安全防御配置
R1/R2接口认证配置
! R1配置
interface GigabitEthernet0/0/1
rip authentication-mode hmac-sha256 cipher your_password
rip version 2 multicast
! R2配置
interface GigabitEthernet0/0/0
rip authentication-mode hmac-sha256 cipher your_password
rip version 2 multicast
interface GigabitEthernet0/0/1
rip authentication-mode hmac-sha256 cipher your_password
rip version 2 multicast防御效果验证
-
路由表恢复正确:
RIP 192.1.5.0/24 [120/2] via 192.1.3.253 -
Wireshark抓包显示认证字段:
RIP Authentication: Type: HMAC-SHA256 Key-ID: 100
实验结论
- RIP协议存在明文传输路由信息的安全缺陷
- 通过伪造metric值可实施路由欺骗
- 启用HMAC-SHA256认证能有效防御路由欺骗
- 建议生产网络使用OSPF等更安全的路由协议