Perimeter

7/1/2015
08:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

DDoS Attackers Exploiting '80s-Era Routing Protocol

Latest wave of DDoS attacks abuses small office-home routers via the 27-year-old, outdated Routing Information Protocol Version 1 (RIPv1).

An outdated and long-forgotten routing protocol is the latest weapon in a wave of distributed denial of service (DDoS) attacks executed via home and small business routers in the past two months.

Akamai Technologies' Prolexic Security Engineering & Research Team (PLXsert) today issued a threat advisory warning of a surge in DDoS attacks using the Routing Information Protocol version one (RIPv1) to wage DDoS reflection and amplification attacks. The 27-year-old routing protocol, which allows routers in a small network to share route information, has since been updated with a newer more secure version, but the older version 1 remains in use in many small office/home office router models.

While some 2,000 SOHO routers so far have been used in this new attack campaign, Akamai also found around 53,000 routers with RIPv1 enabled and vulnerable to the very same attack, mostly Motorola Netopia 2000 and 3000 series devices in the US. The main ISP running those RIPv1-enabled routers was AT&T.

The biggest attack spotted so far: around 12 gigabits-per-second. "That was just using a limited number of resources [routers]," says Jose Arteaga, senior security researcher with Akamai PLXsert. "We found a good number of devices available with this protocol open. Our concern there is if malicious actors continue to scan or incorporate more devices in this attack, attacks can grow to be quite large. They could reach 100-gig or more."

Artiago says there's been no specific industry targeted in the attacks at this time, and the attacks are originating mostly out of Europe and most likely a DDoS-for-hire operation, he says. The main sources include the Russian Federation (39%), China (19%), and 15% in Germany and Italy.

[New data from an Internet-scanning project shows vulnerable consumer and enterprise systems remain a big problem on the public Net. Read No End In Sight For Exposed Internet Of Things, Other Devices.]

Unlike its successor RIPv2, RIPv1 doesn't have an authentication feature, so routers communicating via RIPv1 aren't vetted and authenticated, leaving them open to abuse. This isn't the first time RIPv1 has been abused for a DDoS attack. The PLXsert team spotted similar attacks nearly two years ago but those attacks basically exploited it for a query flood, not a reflection attack, where traffic is redirected from an "innocent" device to a target on the network, Arteaga says.

RIPv1 Not Resting In Peace

The good news is that RIPv1 is not enabled by default on enterprise-grade routers. So why is it left open on some SOHO routers? "Could be an ISP enabling it for some reason or another, but it shouldn't be" available, he says. It also may be useful in a very small business network, he says, but that comes with this risk of abuse by malicious actors.

The common denominator in most of today's DDoS attacks is the use of the UDP protocol. More than 56% of all DDoS attacks abuse UDP, according to DDoS security vendor Incapsula. Of those, 8% use a protocol popular among Internet of Things devices, SSDP (Simple Service Discovery Protocol) used in gaming consoles and printers, for example.

"A common theme with these attacks is they are obviously taking advantage of UDP … there is no way [for a victim router] to refuse that request" because it's a connectionless protocol, Akamai's Arteaga says.

It's up to the ISPs offering these devices to block port 520 used by UDP, which then would prevent any reflection attacks, he says. And small businesses should use the more secure RIPv2 instead of version 1.

Bottom line: DDoS isn't going away, and attackers are constantly looking for new ways to abuse equipment on the Internet as weapons to attack their targets. "It has constantly increased in activity," says David Fernandez, manager of the PLXsert team. "DDoS has not gone away."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/2/2015 | 12:01:46 PM
Re: Remember PayPal ?
What's most disturbing about DDoS, in my humble opinion, is how it's used as a cover for a more nefarious attack. 
Blog Voyage
50%
50%
Blog Voyage,
User Rank: Strategist
7/2/2015 | 2:57:17 AM
Remember PayPal ?
DDOS is the worst attack you can make IMO. Just remember Anonymous and PayPal... 
Microsoft Fixes 11 Critical, 39 Important Vulns
Kelly Sheridan, Staff Editor, Dark Reading,  6/12/2018
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Cisco Talos Summit: Network Defenders Not Serious Enough About Attacks
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12580
PUBLISHED: 2018-06-19
library/DBTech/Security/Action/Sessions.php in DragonByte vBSecurity 3.x through 3.3.0 for vBulletin 3 and vBulletin 4 allows self-XSS via $session['user_agent'] in the "Login Sessions" feature.
CVE-2018-12578
PUBLISHED: 2018-06-19
There is a heap-based buffer overflow in bmp_compress1_row in appliers.cpp in sam2p 0.49.4 that leads to a denial of service or possibly unspecified other impact.
CVE-2018-1061
PUBLISHED: 2018-06-19
python before versions 2.7.15, 3.4.9, 3.5.6 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.
CVE-2018-1073
PUBLISHED: 2018-06-19
The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user accounts.
CVE-2018-12557
PUBLISHED: 2018-06-19
An issue was discovered in Zuul 3.x before 3.1.0. If nodes become offline during the build, the no_log attribute of a task is ignored. If the unreachable error occurred in a task used with a loop variable (e.g., with_items), the contents of the loop items would be printed in the console. This could ...