Attackers abuse legacy routing protocol to amplify distributed denial-of-service attacks

DDoS attacks can be amplified through SOHO routers that still use the Routing Information Protocol version 1, researchers warn.

Servers could be haunted by a ghost from the 1980s, as hackers have started abusing an obsolete routing protocol to launch distributed denial-of-service attacks.

DDoS attacks observed in May by the research team at Akamai abused home and small business (SOHO) routers that still support Routing Information Protocol version 1 (RIPv1). This protocol is designed to allow routers on small networks to exchange information about routes.

RIPv1 was first introduced in 1988 and was retired as an Internet standard in 1996 due to multiple deficiencies, including lack of authentication. These were addressed in RIP version 2, which is still in use today.

In the DDoS attacks seen by Akamai, which peaked at 12.8 gigabits per second, the attackers used about 500 SOHO routers that are still configured for RIPv1 in order to reflect and amplify their malicious traffic.

DDoS reflection is a technique that can be used to hide the real source of the attack, while amplification allows the attackers to increase the amount of traffic they can generate.

RIP allows a router to ask other routers for information stored in their routing tables. The problem is that the source IP (Internet Protocol) address of such a request can be spoofed, so the responding routers can be tricked to send their information to an IP address chosen by attackers -- like the IP address of an intended victim.

This is a reflection attack because the victim will receive unsolicited traffic from abused routers, not directly from systems controlled by the attackers.

But there's another important aspect to this technique: A typical RIPv1 request is 24-byte in size, but if the responses generated by abused routers are larger than that, attackers can generate more traffic they could otherwise do with the bandwidth at their disposal.

In the attacks observed by Akamai, the abused routers responded with multiple 504-byte payloads -- in some cases 10 -- for every 24-byte query, achieving a 13,000 percent amplification.

Other protocols can also be exploited for DDoS reflection and amplification if servers are not configured correctly, including DNS (Domain Name System), mDNS (multicast DNS), NTP (Network Time Protocol) and SNMP (Simple Network Management Protocol).

The Akamai team scanned the Internet and found 53,693 devices that could be used for DDoS reflection using the RIPv1 protocol. Most of them were home and small business routers.

The researchers were able to determine the device make and model for more than 20,000 of them, because they also had their Web-based management interfaces exposed to the Internet.

Around 19,000 were Netopia 3000 and 2000 series DSL routers distributed by ISPs, primarily from the U.S., to their customers. AT&T had the largest concentration of these devices on its network -- around 10,000 -- followed by BellSouth and MegaPath, each with 4,000.

More than 4,000 of the RIPv1 devices found by Akamai were ZTE ZXV10 ADSL modems and a few hundred were TP-Link TD-8xxx series routers.

While all of these devices can be used for DDoS reflection, not all of them are suitable for amplification. Many respond to RIPv1 queries with a single route, but the researchers identified 24,212 devices that offered at least an 83 percent amplification rate.

To avoid falling victim to RIPv1-based attacks, server owners should use access control lists to restrict Internet traffic on UDP source port 520, the Akamai researchers said in their report. Meanwhile, the owners of RIPv1-enabled devices should switch to RIPv2, restrict the protocol's use to the internal network only or, if neither of those options is viable, use access control lists to restrict RIPv1 traffic only to neighboring routers.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags akamaisecurity

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?