Latest DoS Attacks Used Old Protocol for Amplification

Akamai finds that attackers have revived RIPv1, a decades-old protocol, to amplify their DoS attacks against targets.

network security

Attackers are using a three-decades-old Internet protocol for passing network information between routers to target systems and networks with massive floods of data, network-security firms said in early July.

Created during the 1970s and formalized in 1988, the Routing Information Protocol version 1, or RIPv1, typically allows one router to request network information from another router as a way of quickly learning the structure of the local network. Attackers can abuse routers that have been misconfigured to allow access to the feature from the public Internet to direct the replies to a target's Internet address, resulting in an easy-to-implement denial-of-service (DoS) attack.

Network-security and infrastructure firm Akamai has detected RIPv1 data floods with a peak bandwidth of 12.9 gigabits per second, the company said in an advisory issued July 1. Akamai calculated that attackers using the protocol could amplify their attacks by a factor of 131.

"They will send the query to multiple devices at once, and the devices will all respond back with all the networks that they know of in their routing table," Jose Arteaga, senior security researcher with Akamai, told eWEEK. "We are seeing networks with up to 250 routes responding, so that results in a lot of 504-byte replies."

Amplification attacks, where a single network packet sent to a vulnerable server can result in a much larger volume of data sent to a target, have become a popular form of DoS attack. In 2013 and early 2014, attackers used network-time servers—the computers that establish a common time across the Internet—as a way of amplifying their attack traffic. In the latter half of 2014 and earlier this year, attackers focused instead on the Simple Service Discovery Protocol, or SSDP, which is used by Universal Plug-and-Play devices (UPnP) devices to automatically configure themselves.

Because RIPv1 is based on a fundamental Internet protocol, known as the User Datagram Protocol (UDP), which does not check the source address, attackers merely need to insert the target's Internet address as the source of the request to inundate the victim's network.

Other network security firms have also issued warnings about the RIPv1 attacks. Fortinet, for example, offered advice to its customers on the attacks.

"Many of these old routers expose RIP on the WAN interface unnecessarily and allow RIP access to any IP," the company stated in a July 2 blog post. "When the router receives the request, it responds back to the target machine thinking the request came from there. The source of the original request can be spoofed."

Attackers have previously used the routing information protocol for DoS attacks. Because it can be readily abused, RIPv1 was retired as an Internet standard, but many network devices still support the protocol. A scan of the Internet found almost 54,000 routers responding to RIPv1 requests, according to Akamai.

Because filtering out RIPv1 packets is fairly simple, defenders may easily adapt to the latest attack, said Akamai's Arteaga.

"It could be short-lived," he said. "But there are quite a few vulnerable systems out there, so in the short term, there is the potential that you will see a higher volume of attacks."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...