Perimeter

7/1/2015
08:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

DDoS Attackers Exploiting '80s-Era Routing Protocol

Latest wave of DDoS attacks abuses small office-home routers via the 27-year-old, outdated Routing Information Protocol Version 1 (RIPv1).

An outdated and long-forgotten routing protocol is the latest weapon in a wave of distributed denial of service (DDoS) attacks executed via home and small business routers in the past two months.

Akamai Technologies' Prolexic Security Engineering & Research Team (PLXsert) today issued a threat advisory warning of a surge in DDoS attacks using the Routing Information Protocol version one (RIPv1) to wage DDoS reflection and amplification attacks. The 27-year-old routing protocol, which allows routers in a small network to share route information, has since been updated with a newer more secure version, but the older version 1 remains in use in many small office/home office router models.

While some 2,000 SOHO routers so far have been used in this new attack campaign, Akamai also found around 53,000 routers with RIPv1 enabled and vulnerable to the very same attack, mostly Motorola Netopia 2000 and 3000 series devices in the US. The main ISP running those RIPv1-enabled routers was AT&T.

The biggest attack spotted so far: around 12 gigabits-per-second. "That was just using a limited number of resources [routers]," says Jose Arteaga, senior security researcher with Akamai PLXsert. "We found a good number of devices available with this protocol open. Our concern there is if malicious actors continue to scan or incorporate more devices in this attack, attacks can grow to be quite large. They could reach 100-gig or more."

Artiago says there's been no specific industry targeted in the attacks at this time, and the attacks are originating mostly out of Europe and most likely a DDoS-for-hire operation, he says. The main sources include the Russian Federation (39%), China (19%), and 15% in Germany and Italy.

[New data from an Internet-scanning project shows vulnerable consumer and enterprise systems remain a big problem on the public Net. Read No End In Sight For Exposed Internet Of Things, Other Devices.]

Unlike its successor RIPv2, RIPv1 doesn't have an authentication feature, so routers communicating via RIPv1 aren't vetted and authenticated, leaving them open to abuse. This isn't the first time RIPv1 has been abused for a DDoS attack. The PLXsert team spotted similar attacks nearly two years ago but those attacks basically exploited it for a query flood, not a reflection attack, where traffic is redirected from an "innocent" device to a target on the network, Arteaga says.

RIPv1 Not Resting In Peace

The good news is that RIPv1 is not enabled by default on enterprise-grade routers. So why is it left open on some SOHO routers? "Could be an ISP enabling it for some reason or another, but it shouldn't be" available, he says. It also may be useful in a very small business network, he says, but that comes with this risk of abuse by malicious actors.

The common denominator in most of today's DDoS attacks is the use of the UDP protocol. More than 56% of all DDoS attacks abuse UDP, according to DDoS security vendor Incapsula. Of those, 8% use a protocol popular among Internet of Things devices, SSDP (Simple Service Discovery Protocol) used in gaming consoles and printers, for example.

"A common theme with these attacks is they are obviously taking advantage of UDP … there is no way [for a victim router] to refuse that request" because it's a connectionless protocol, Akamai's Arteaga says.

It's up to the ISPs offering these devices to block port 520 used by UDP, which then would prevent any reflection attacks, he says. And small businesses should use the more secure RIPv2 instead of version 1.

Bottom line: DDoS isn't going away, and attackers are constantly looking for new ways to abuse equipment on the Internet as weapons to attack their targets. "It has constantly increased in activity," says David Fernandez, manager of the PLXsert team. "DDoS has not gone away."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/2/2015 | 12:01:46 PM
Re: Remember PayPal ?
What's most disturbing about DDoS, in my humble opinion, is how it's used as a cover for a more nefarious attack. 
Blog Voyage
50%
50%
Blog Voyage,
User Rank: Strategist
7/2/2015 | 2:57:17 AM
Remember PayPal ?
DDOS is the worst attack you can make IMO. Just remember Anonymous and PayPal... 
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
Election Websites, Backend Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10510
PUBLISHED: 2018-08-15
A Directory Traversal Remote Code Execution vulnerability in Trend Micro Control Manager (versions 6.0 and 7.0) could allow an attacker to execute arbitrary code on vulnerable installations.
CVE-2018-10511
PUBLISHED: 2018-08-15
A vulnerability in Trend Micro Control Manager (versions 6.0 and 7.0) could allow an attacker to conduct a server-side request forgery (SSRF) attack on vulnerable installations.
CVE-2018-10512
PUBLISHED: 2018-08-15
A vulnerability in Trend Micro Control Manager (versions 6.0 and 7.0) could allow an attacker to manipulate a reverse proxy .dll on vulnerable installations, which may lead to a denial of server (DoS).
CVE-2018-8753
PUBLISHED: 2018-08-15
The IKEv1 implementation in Clavister cOS Core before 11.00.11, 11.20.xx before 11.20.06, and 12.00.xx before 12.00.09 allows remote attackers to decrypt RSA-encrypted nonces by leveraging a Bleichenbacher attack.
CVE-2018-9129
PUBLISHED: 2018-08-15
ZyXEL ZyWALL/USG series devices have a Bleichenbacher vulnerability in their Internet Key Exchange (IKE) handshake implementation used for IPsec based VPN connections.