Akamai Warns of an Uptick in DDoS Reflection Attacks Using Abandoned Routing Protocol
July 2015 by Akamai
Akamai Technologies, Inc. published, through the company’s Prolexic Security Engineering & Research Team (PLXsert), a new cybersecurity threat advisory. The threat is related to the increasing use of outdated Routing Information Protocol version one (RIPv1) for reflection and amplification attacks.
What is RIPv1?
RIPv1 is a fast, easy way to dynamically share route information using a small, multi-router network. A typical request is sent by a router running RIP when it is first configured or powered on. From there, any device listening for the requests will respond with a list of routes and updates that are sent as broadcasts.
“This version of the RIP protocol was first introduced in 1988 – more than 25 years ago under RFC1058,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “While the resurgence of RIPv1 after more than a year of dormancy is puzzling, it’s clear that attackers are exploiting their familiarity with this thought to be abandoned DDoS reflection vector. Leveraging the behavior of RIPv1 to launch a DDoS reflection attack is quite simple for an attacker – by using a normal broadcast query, the malicious query can be sent as a unicast request directly to the reflector. The attacker can then spoof the IP address source to match the intended attack target – causing damage to the network.”
Using RIPv1 to launch a DDoS reflection attack
The PLXsert team’s research shows that attackers prefer routers with a large amount of routes in the RIPv1 database. Based on this research, most of the attacks recognized had queries that resulted in multiple 504 byte response payloads sent to a target with a single request. A typical RIPv1 request contains only a 24 byte payload, which proves that the attackers are getting a large amount of unsolicited traffic flooding their intended target with a small request.
The team studied an actual attack against an Akamai customer that took place on May 16, 2015. Research and non-intrusive scanning of the attack revealed that the devices being leveraged for the RIP reflection attack were likely not using enterprise-grade routing hardware. The team warns that RIPv1 is working as designed and malicious actors will continue to exploit this method as an easy way to launch reflection and amplification attacks.
To avoid a DDoS reflection attack using RIPv1, consider one of the following techniques:
• Switch to RIPv2, or later, to enable authentication
• Use an access control list (ACL) to restrict User Datagram Protocol (UDP) source port 520 from the internet
Akamai continues to monitor ongoing campaigns using RIPv1 to launch DDoS reflection attacks. To learn more about the threat, and mitigation techniques, please download a complimentary copy of the threat advisory at www.stateoftheinternet.com.