Latest DoS Attacks Used Old Protocol for Amplification
Akamai finds that attackers have revived RIPv1, a decades-old protocol, to amplify their DoS attacks against targets.Attackers are using a three-decades-old Internet protocol for passing network information between routers to target systems and networks with massive floods of data, network-security firms said in early July. Created during the 1970s and formalized in 1988, the Routing Information Protocol version 1, or RIPv1, typically allows one router to request network information from another router as a way of quickly learning the structure of the local network. Attackers can abuse routers that have been misconfigured to allow access to the feature from the public Internet to direct the replies to a target's Internet address, resulting in an easy-to-implement denial-of-service (DoS) attack. Network-security and infrastructure firm Akamai has detected RIPv1 data floods with a peak bandwidth of 12.9 gigabits per second, the company said in an advisory issued July 1. Akamai calculated that attackers using the protocol could amplify their attacks by a factor of 131. "They will send the query to multiple devices at once, and the devices will all respond back with all the networks that they know of in their routing table," Jose Arteaga, senior security researcher with Akamai, told eWEEK. "We are seeing networks with up to 250 routes responding, so that results in a lot of 504-byte replies."
Amplification attacks, where a single network packet sent to a vulnerable server can result in a much larger volume of data sent to a target, have become a popular form of DoS attack. In 2013 and early 2014, attackers used network-time servers—the computers that establish a common time across the Internet—as a way of amplifying their attack traffic. In the latter half of 2014 and earlier this year, attackers focused instead on the Simple Service Discovery Protocol, or SSDP, which is used by Universal Plug-and-Play devices (UPnP) devices to automatically configure themselves.