Old-school router attack wreaking havoc to networks

In further proof that the old ones truly are the best ones, attackers are using routers running RIPv1 software from the 1980s to launch reflection and amplification DDoS attacks.

According to Prolexic, part of Akamai, RIPv1 is a fast, easy way to dynamically share route information using a small, multi-router network. A typical request is sent by a router running RIP when it is first configured or powered on. From there, any device listening for the requests will respond with a list of routes and updates that are sent as broadcasts.

"This version of the RIP protocol was first introduced in 1988 – more than 25 years ago under RFC1058," said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai.

To mount a DDoS attack against a target, the attacker sends a query to a RIPv1 router but spoofs the originating IP address in the request. The router then sends a response, converting a small query request into a large response packet which is directed at the target server. Research indicates that attackers tend to favour routers which have a large amount of routes in their database – thus a 24 byte request can be converted into a 504 byte response payload, which is why this method is called a “reflection and amplification DDoS attack”.

In an actual attack against an Akamai customer in May, the researchers found that the attackers were most likely using enterprise-grade routers hardware. This attack method works because RIPv1 does what it was designed to do and therefore it is likely to continue to be exploited.

Recommended counter-measures are to either upgrade to RIPv2 or later to enable authentication or use an access control list to restrict UDP source port 520 from the internet.