Perimeter

7/1/2015
08:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

DDoS Attackers Exploiting '80s-Era Routing Protocol

Latest wave of DDoS attacks abuses small office-home routers via the 27-year-old, outdated Routing Information Protocol Version 1 (RIPv1).

An outdated and long-forgotten routing protocol is the latest weapon in a wave of distributed denial of service (DDoS) attacks executed via home and small business routers in the past two months.

Akamai Technologies' Prolexic Security Engineering & Research Team (PLXsert) today issued a threat advisory warning of a surge in DDoS attacks using the Routing Information Protocol version one (RIPv1) to wage DDoS reflection and amplification attacks. The 27-year-old routing protocol, which allows routers in a small network to share route information, has since been updated with a newer more secure version, but the older version 1 remains in use in many small office/home office router models.

While some 2,000 SOHO routers so far have been used in this new attack campaign, Akamai also found around 53,000 routers with RIPv1 enabled and vulnerable to the very same attack, mostly Motorola Netopia 2000 and 3000 series devices in the US. The main ISP running those RIPv1-enabled routers was AT&T.

The biggest attack spotted so far: around 12 gigabits-per-second. "That was just using a limited number of resources [routers]," says Jose Arteaga, senior security researcher with Akamai PLXsert. "We found a good number of devices available with this protocol open. Our concern there is if malicious actors continue to scan or incorporate more devices in this attack, attacks can grow to be quite large. They could reach 100-gig or more."

Artiago says there's been no specific industry targeted in the attacks at this time, and the attacks are originating mostly out of Europe and most likely a DDoS-for-hire operation, he says. The main sources include the Russian Federation (39%), China (19%), and 15% in Germany and Italy.

[New data from an Internet-scanning project shows vulnerable consumer and enterprise systems remain a big problem on the public Net. Read No End In Sight For Exposed Internet Of Things, Other Devices.]

Unlike its successor RIPv2, RIPv1 doesn't have an authentication feature, so routers communicating via RIPv1 aren't vetted and authenticated, leaving them open to abuse. This isn't the first time RIPv1 has been abused for a DDoS attack. The PLXsert team spotted similar attacks nearly two years ago but those attacks basically exploited it for a query flood, not a reflection attack, where traffic is redirected from an "innocent" device to a target on the network, Arteaga says.

RIPv1 Not Resting In Peace

The good news is that RIPv1 is not enabled by default on enterprise-grade routers. So why is it left open on some SOHO routers? "Could be an ISP enabling it for some reason or another, but it shouldn't be" available, he says. It also may be useful in a very small business network, he says, but that comes with this risk of abuse by malicious actors.

The common denominator in most of today's DDoS attacks is the use of the UDP protocol. More than 56% of all DDoS attacks abuse UDP, according to DDoS security vendor Incapsula. Of those, 8% use a protocol popular among Internet of Things devices, SSDP (Simple Service Discovery Protocol) used in gaming consoles and printers, for example.

"A common theme with these attacks is they are obviously taking advantage of UDP … there is no way [for a victim router] to refuse that request" because it's a connectionless protocol, Akamai's Arteaga says.

It's up to the ISPs offering these devices to block port 520 used by UDP, which then would prevent any reflection attacks, he says. And small businesses should use the more secure RIPv2 instead of version 1.

Bottom line: DDoS isn't going away, and attackers are constantly looking for new ways to abuse equipment on the Internet as weapons to attack their targets. "It has constantly increased in activity," says David Fernandez, manager of the PLXsert team. "DDoS has not gone away."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/2/2015 | 12:01:46 PM
Re: Remember PayPal ?
What's most disturbing about DDoS, in my humble opinion, is how it's used as a cover for a more nefarious attack. 
Blog Voyage
50%
50%
Blog Voyage,
User Rank: Strategist
7/2/2015 | 2:57:17 AM
Remember PayPal ?
DDOS is the worst attack you can make IMO. Just remember Anonymous and PayPal... 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6507
PUBLISHED: 2019-01-22
An issue was discovered in creditease-sec insight through 2018-09-11. login_user_delete in srcpm/app/admin/views.py allows CSRF.
CVE-2019-6508
PUBLISHED: 2019-01-22
An issue was discovered in creditease-sec insight through 2018-09-11. role_perm_delete in srcpm/app/admin/views.py allows CSRF.
CVE-2019-6509
PUBLISHED: 2019-01-22
An issue was discovered in creditease-sec insight through 2018-09-11. depart_delete in srcpm/app/admin/views.py allows CSRF.
CVE-2019-6510
PUBLISHED: 2019-01-22
An issue was discovered in creditease-sec insight through 2018-09-11. user_delete in srcpm/app/admin/views.py allows CSRF.
CVE-2017-6922
PUBLISHED: 2019-01-22
In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not pr...