Attackers Revive Deprecated RIPv1 Routing Protocol in DDoS Attacks

An advisory from Akamai warns of a recent reflection style DDoS attack in which the deprecated RIPv1 routing protocol was leveraged against targets.

A long-deprecated—and aptly named—routing protocol, RIPv1, still has some life to it.

Hackers, since the middle of May, have been carrying out reflection- and amplification-style distributed denial of service attacks using home office and small business routers still running on the old protocol.

RIPv1, short for Routing Information Protocol, helps small networks share network route information. It’s been around since 1988, but has been deprecated since 1996.

Researchers at Akamai’s Prolexic Security Engineering and Research Team (PLXsert) today put out an advisory about an attack spotted May 16 that peaked at 12.9 Gbps. Akamai said that of the 53,693 devices that responded to RIPv1 queries in a scan it conducted, only 500 unique sources were identified in the DDoS attack. None of them use authentication, making them easy pickings.

“Since a majority of these sources sent packets predominantly of the 504-byte size, it’s pretty clear as to why they were leveraged for attack purposes. As attackers discover more sourc­es, it is possible that this vector has the potential to create much larger attacks than what we’ve observed thus far,” the advisory cautions, pointing out that the unused devices could be put to work in larger and more distributed attacks.

“Right now, most of the 53,693 possible sources respond with one unique route — making them regu­lar DDoS reflection sources without additional amplification,” Akamai said.

Reflection attacks happen when an attacker forges its victim’s IP addresses in order to establish the victim’s systems as the source of requests sent to a massive number of machines. The recipients of those requests then issue an overwhelming flood of responses back to the victim’s network, ultimately crashing that network. These types of DDoS attacks differ from amplification attacks where publicly accessible open DNS servers are used to flood victims with DNS responses.

Akamai identified Netopia 2000 and 3000 series routers as the biggest culprits still running the vulnerable and ancient RIPv1 protocol on devices. Close to 19,000 Netopia routers responded in scans conducted by Akamai, which also noted that more than 5,000 ZET ZXv10 and TP-Link TD-8000 series routers collectively responded as well. Most of the Netopia routers, Akamai said, are issued by AT&T to customers in the U.S. BellSouth and MegaPath also distribute the routers, but to a much lesser extent.

Source countries, however, that were responsible for the May 16 attack were largely in the Russian Federation, China, Germany, Italy and Spain, each with a large number of routes returned to each RIPv1 query, Akamai said.

“The sources confirmed to be used in recent attack cam­paigns were mostly based out of Europe,” the advisory says. “This leaves a lot of potentially untapped resourc­es that could fall victim to abuse in amplification and reflection attacks.”

Akamai recommends that reflector sources switch to RIPv2 or a later version and turn on authentication, otherwise assess whether to expose RIP on the WAN interface. It also suggests restricting RIP access through an access control list and allowing only known routers.

“The list of available reflection vectors is by no means small, and some vectors have proven more difficult to keep under control than others due to their perva­sive nature (i.e. DNS, SSDP),” the advisory says. “That being said, there is little reason for RIPv1 to continue as an available resource for DDoS attacks. Most of these sources appear to be from out­dated hardware that has been running in home or small-office networks for years.”

Suggested articles