RIP路由欺骗攻击与防御实验详解

一、基础网络配置

1. 路由器R1配置

interface GigabitEthernet0/0/0
 ip address 192.1.2.254 255.255.255.0
!
interface GigabitEthernet0/0/1
 ip address 192.1.3.254 255.255.255.0
!
router rip 1
 version 2
 network 192.1.2.0
 network 192.1.3.0

2. 路由器R2配置

interface GigabitEthernet0/0/0
 ip address 192.1.3.253 255.255.255.0
!
interface GigabitEthernet0/0/1
 ip address 192.1.4.254 255.255.255.0
!
router rip 1
 version 2
 network 192.1.3.0
 network 192.1.4.0

3. 路由器R3配置

interface GigabitEthernet0/0/0
 ip address 192.1.4.253 255.255.255.0
!
interface GigabitEthernet0/0/1
 ip address 192.1.5.254 255.255.255.0
!
router rip 1
 version 2
 network 192.1.4.0
 network 192.1.5.0

验证通信

PC> ping 192.1.5.2  # 应获得100%成功率

二、路由欺骗攻击实施

入侵路由器配置

interface GigabitEthernet0/0/0
 ip address 192.1.3.252 255.255.255.0
!
router rip 1
 version 2
 network 192.1.3.0

攻击特征

• 发送伪造路由更新：192.1.5.0/24 metric=1
• 通过Wireshark抓包可见恶意RIP响应：

  Source: 192.1.3.252
  Destination: 224.0.0.9
  RIP Response:
    - 192.1.5.0/24 Metric=1

路由表污染验证

R1# show ip route
RIP  192.1.5.0/24 [120/1] via 192.1.3.252  # 正确路由应显示metric=2

三、安全防御配置

R1/R2接口认证配置

! R1配置
interface GigabitEthernet0/0/1
 rip authentication-mode hmac-sha256 cipher your_password
 rip version 2 multicast

! R2配置
interface GigabitEthernet0/0/0
 rip authentication-mode hmac-sha256 cipher your_password
 rip version 2 multicast

interface GigabitEthernet0/0/1
 rip authentication-mode hmac-sha256 cipher your_password
 rip version 2 multicast

防御效果验证

1. 路由表恢复正确：

   RIP  192.1.5.0/24 [120/2] via 192.1.3.253

2. Wireshark抓包显示认证字段：

   RIP Authentication:
     Type: HMAC-SHA256
     Key-ID: 100

实验结论

1. RIP协议存在明文传输路由信息的安全缺陷
2. 通过伪造metric值可实施路由欺骗
3. 启用HMAC-SHA256认证能有效防御路由欺骗
4. 建议生产网络使用OSPF等更安全的路由协议