A first-hop redundancy protocol (FHRP) is a network protocol designed to protect the default gateway used on a subnet by allowing two or more routers to provide a backup for that address.
If the active router fails, the backup router usually takes over the address within a few seconds. Hot Standby Router Protocol (HSRP) is an example of such a protocol, among many others.
Hot Standby Router Protocol provides redundancy for IP networks and ensures that traffic can transparently recover from first hop failures. Devices sharing a common Layer 2 domain participate in a virtual router environment that ensures a single device performs the egress routing role. By continuously exchanging HSRP messages, candidate devices can automatically take over routing responsibility if there are problems with the active device.
Network devices are often configured without some important security features that allow the configurations to be exploited. The Hot Standby Router Protocol can then be exploited if not properly configured.
In most cases, when you configure the routers to be part of an HSRP group, they will listen to both the HSRP MAC address for that group and their own burned-in MAC address. These routers use the HSRP MAC address when they are the active router and their burned-in address when they are not. The choice of active and standby routers is based on priority or on the highest IP if the routers have the same priority.
Unauthenticated HSRP log messages are ignored by HSRP. The default authentication type is text authentication with the value cisco as the default. An attacker can use HSRP to launch a man-in-the-middle (MiTM) attack or a Denial of Service Attack (DoS) to start. The attacker can achieve this by forging HSRP Helo packets with a higher priority (e.g. 130) than the current router's priority.
You can use the following steps to ensure that this vulnerability does not exist.
To ensure that the standard Cisco clear text authentication string is removed and replaced with an MD5 hashed key string, the HSRP configuration should be performed with MD5 authentication. If an attacker tries to exploit the vulnerability, malicious HSRP messages will be dropped due to failed authentication.
In this case, the IP address and the priority are set to the highest possible value. If router 2 (R1) has an IP address of 192.168.0.254 and a priority of 255, no other router can become active as long as the router (R1) you have chosen is still operational.
Some people believe that using an ACL to limit incoming HSRP messages to only authorized IP addresses is the ideal solution. This may not be enough to protect against an HSRP attack, as it may be possible to spoof the source IP address with the IP addresses of the allowed routers.
It turns out that many network administrators do not use this security feature in the Hot Standby Router Protocol because they believe it poses no threat. From the foregoing, it is clear that due to the implementation of security feature, Hot Standby Router Protocol is easily protected from malicious actors such as hackers can be protected without causing operational problems and should therefore always be implemented.
