Attackers Abuse RIPv1 Protocol for DDoS Reflection: Akamai

The old Routing Information Protocol version 1 (RIPv1) has been abused by malicious actors for reflection distributed denial-of-service (DDoS) attacks, Akamai has warned.

According to an alert from Akamai Technologies’ Prolexic Security Engineering and Response Team (PLXsert), researchers spotted an operation leveraging weaknesses in the routing protocol on May 16, after nearly one year in which this technique wasn’t used for DDoS attacks.

RIP, one of the oldest distance-vector routing protocols, uses router hop count as the metric. Version 1, introduced in 1988, has some limitations, including the fact that it only supports classful networks. Because of these limitations, RIPv2 and RIPng (next generation) have been introduced. However, many routers still run RIPv1, allowing malicious actors to use the outdated protocol to their advantage.

Routers running RIPv1 send an initial request for a list of routes when the device is powered on. The list of routes is sent to the router by other devices listening for requests. Then, updates are sent at regular intervals.

Attackers exploit this by crafting malicious requests for routes and by spoofing the source IP to match the one of the targeted system. For each request, multiple 504-byte payloads are sent to the targeted IP address.

In the attacks observed by PLXsert, the attackers had sent the requests to RIPv1 routers that were accessible over the Internet. Experts have pointed out that routers with a large number of routes in their RIPv1 routing table are prefered by cybercriminals.

The amplification factor depends on this number of routes. For a reflector that responds with ten 504-byte payloads and one 164-byte payload, researchers have determined that the amplification factor for a single RIPv1 request is 131.24 (over 21,000%).

In theory, malicious actors could increase the amplification factor through RIPv1 poisoning, by forcing the targeted router to learn extra routes. However, experts say there are several factors that make such attacks ineffective.

Akamai has scanned the Internet and it has identified more than 53,000 devices — mostly located in the United States — that respond to RIPv1 queries. However, the company says many of them are not suitable as amplification DDoS sources because they respond with only one route.

In the May 16 attack observed by researchers, only roughly 500 devices had been used. Most of them sent predominantly 504-byte packets, resulting in a DDoS attack that peaked at 12.8 Gbps and 3.2 Mpps. A large part of this traffic came from Tokyo, Frankfurt, London, Hong Kong, and two locations in the United States.

“As attackers discover more sources, it is possible that this vector has the potential to create much larger attacks than what we’ve observed thus far,” Akamai said in its advisory.

According to PLXsert, most of the devices abused in the attack were SOHO routers running custom firmware such as DD-WRT, and NAS devices like BlueArc Titan. Experts have pointed out that the victims identified in the May 16 attack had not been using enterprise-grade routing hardware.

Of the 53,000 Web-accessible routers identified by experts, the most common were Netopia devices likely provided by ISPs in the initial boom of ADSL broadband Internet, ZTE ZXV10 routers, and TP-LINK TD-8xxx routers.

While many of the devices detected by experts are not suitable for amplification DDoS attacks, more than 24,000 of them offer at least an 83 percent amplification rate. The devices that don’t provide any amplification can still be abused for reflection, to diversify attack traffic from a single source.

RIPv1 reflection DDoS attacks can be mitigated by switching to RIPv2 or later, and by enabling authentication. In cases where RIPv1 is required, users can mark the WAN side interface as passive if the protocol is not needed on this interface. Finally, Akamai recommends restricting RIP via an access control list (ACL) to known routers.