EIGRP Attacks

Attacking EIGRP Protocol

EIGRP (Enhanced Interior Gateway Routing Protocol) is a dynamic routing protocol. It is a distance-vector protocol. If there is no authentication and configuration of passive interfaces, an intruder can interfere with EIGRP routing and cause routing tables poisoning. Moreover, EIGRP network (in other words, autonomous system) is flat and has no segmentation into any zones. What could this mean for an attacker? Well, if he injects a route, it is likely that this route will spread throughout the autonomous EIGRP system.
First and foremost, attacking a standalone EIGRP system requires establishing a neighborhood with a legitimate EIGRP router, which opens up a lot of possibilities, from basic reconnaissance to various injections.
For this I will use FRRouting. This is an open-source software which is designed to create a router in Unix and Linux. FRRouting allows you to implement a virtual router that supports BGP, OSPF, EIGRP, RIP and other protocols. All you need to do is deploy it on your attacker’s system and you can actually pretend to be a legitimate router in the routing domain. I’ll show you how to deploy FRR on your system in the next section.

Network Intelligence

Connecting to the routing domain allows us to do enumeration and reconnaissance of networks and not spend a lot of time scanning. This method saves you a lot of precious time. Plus, by scanning, you can get burned in front of IPS/IDS security systems. To me, connecting to the domain and enumeration is the attack vector on routing domains that gives you the most impact. But to do this you need to deploy FRRouting. Here we go.
It is necessary to edit the configuration file daemons. It contains the configurations of the daemons in the context of their activity. Either they are enabled (yes) or not (no). We need to activate the eigrpd daemon.
~# nano /etc/frr/daemons
After that, you need to correct the vtysh.conf file by adding a line responsible for saving the configuration to one file, so that configurations of different protocols are not scattered into different files (e.g. eigrpd.conf, staticd.conf). It is configurable optionally.
~# nano /etc/frr/vtysh.conf
service integrated-vtysh-config
The FRRouting configuration is done. Now it’s time to run the FRR daemon. And yes, we need to enable traffic routing. By default it is disabled in Linux distributions
~$ sudo systemctl start frr
~$ sudo sysctl -w net.ipv4.ip_forward=1
The vtysh command will take us to the FRR router control panel.
~$ sudo vtysh
Inguz# show version
However, don’t forget that the EIGRP routing domain can be protected by authentication. But you still have a chance to connect to the routing domain. When hello packets are sent out, they also contain cryptographic hashes. If you can extract these hashes from the traffic dump and reset the password, you can log on to the routing domain with this password.
Go to global configuration mode and start the EIGRP process, specify the autonomous system number — 1
And we also need to declare the network we are in. We are at My address is
Inguz# configInguz(config)# router eigrp 1Inguz(config-router) network
After that, the neighborhood between the legitimate EIGRP routers is established. There are two of them on my network:
  • GW1 (
  • GW2 (
EIGRP Neighborship with GW1 (
EIGRP Neighborship with GW2 (
During the establishment and maintenance of the neighborhood between EIGRP routers, routers exchange their routing information. After the neighborhood is established, new routes will appear in our routing table of the attacking system, namely:
  • via;
  • via;
  • via;
  • via
Thus, after establishing the neighborhood, we know about the existence of these subnets, which makes it easier for us to pentest and save time. We can do without additional subnet scanning. Now we are in the EIGRP routing domain and we can develop some attack vectors. Let’s talk about them.

Fake EIGRP Neighbors

I have found that generating and quickly sending out mass EIGRP hello packets overloads the router’s CPU, which in turn can open the door to a DoS attack. I have developed a little **** script, but it seems to me that the script lacks the speed of sending out the packets. It’s caused by GIL, which prevents the sprayhello function from running in multiple threads per second. Eventually I’ll rewrite the script in C.
Arguments of the script:
  • Interface of the attacking system (eth0);
  • EIGRP autonomous system number (1);
  • Subnet where the attacking system is located. In my case, the subnet is
~$ sudo python3 --interface eth0 --as 1 --subnet

EIGRP Blackhole

The essence of this attack is a simple injection of a false route that will poison the routing table. Traffic to, say, the network will go nowhere, causing a denial of service. Such an attack is called a Blackhole. The script **** will be the tool used to perform it. For this example, I will send traffic destined for host to the black hole.
Arguments of the script:
  • interface of the attacking system
  • EIGRP AS number
  • IP address of the attacker
  • IP address of the target subnet whose traffic will be sent to the black hole
  • target subnet mask
~$ sudo python3 --interface eth0 --as 1 --src --dst --prefix 32
Our host seems to be in trouble :)
As you can see, the host loses connectivity to host due to route injection.

Abusing K-Values

To establish EIGRP neighbors, routers use special K-values. They must be the same among all EIGRP neighbors. If at least one K-value does not match, the EIGRP domain will crash and the neighborhood will be broken. We will use **** to perform this attack**.**
Script arguments:
  • network interface
  • EIGRP AS number
  • IP Address of legitimate router
On behalf of the specified IP and will be sent an inject on the multicast EIGRP IP address, in which the K-values are different. In my case, I will break the neighborhood on behalf of router GW1 (address is
~$ sudo python3 --interface eth0 --as 1 --src
Dump of traffic during a neighborhood disruption
GW1 router endlessly disconnects and reconnects EIGRP
A DoS attack can be carried out in this way. During operation, endless breakups and neighborhood attempts occur, paralyzing part of the EIGRP routing domain.

Routing table overflow

The essence of this attack is to provoke the sending of a huge number of false routes, which will overflow the routing table. This depletes the computing resources of the router, namely the CPU and RAM, since the injections occur at enormous speed. This attack is implemented script
Script arguments
  • network interface
  • EIGRP AS Number
  • Attacker’s IP address
in9uz@Inguz:~$ sudo python3 --interface eth0 --as 1 --src
After running the script, the routing table starts overflowing with routes. The random addresses of the target networks are due to the use of RandIP() in Scapy.
Routing table overflows on GW1 router
Overloaded router CPU