Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

7/1/2015
08:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

DDoS Attackers Exploiting '80s-Era Routing Protocol

Latest wave of DDoS attacks abuses small office-home routers via the 27-year-old, outdated Routing Information Protocol Version 1 (RIPv1).

An outdated and long-forgotten routing protocol is the latest weapon in a wave of distributed denial of service (DDoS) attacks executed via home and small business routers in the past two months.

Akamai Technologies' Prolexic Security Engineering & Research Team (PLXsert) today issued a threat advisory warning of a surge in DDoS attacks using the Routing Information Protocol version one (RIPv1) to wage DDoS reflection and amplification attacks. The 27-year-old routing protocol, which allows routers in a small network to share route information, has since been updated with a newer more secure version, but the older version 1 remains in use in many small office/home office router models.

While some 2,000 SOHO routers so far have been used in this new attack campaign, Akamai also found around 53,000 routers with RIPv1 enabled and vulnerable to the very same attack, mostly Motorola Netopia 2000 and 3000 series devices in the US. The main ISP running those RIPv1-enabled routers was AT&T.

The biggest attack spotted so far: around 12 gigabits-per-second. "That was just using a limited number of resources [routers]," says Jose Arteaga, senior security researcher with Akamai PLXsert. "We found a good number of devices available with this protocol open. Our concern there is if malicious actors continue to scan or incorporate more devices in this attack, attacks can grow to be quite large. They could reach 100-gig or more."

Artiago says there's been no specific industry targeted in the attacks at this time, and the attacks are originating mostly out of Europe and most likely a DDoS-for-hire operation, he says. The main sources include the Russian Federation (39%), China (19%), and 15% in Germany and Italy.

[New data from an Internet-scanning project shows vulnerable consumer and enterprise systems remain a big problem on the public Net. Read No End In Sight For Exposed Internet Of Things, Other Devices.]

Unlike its successor RIPv2, RIPv1 doesn't have an authentication feature, so routers communicating via RIPv1 aren't vetted and authenticated, leaving them open to abuse. This isn't the first time RIPv1 has been abused for a DDoS attack. The PLXsert team spotted similar attacks nearly two years ago but those attacks basically exploited it for a query flood, not a reflection attack, where traffic is redirected from an "innocent" device to a target on the network, Arteaga says.

RIPv1 Not Resting In Peace

The good news is that RIPv1 is not enabled by default on enterprise-grade routers. So why is it left open on some SOHO routers? "Could be an ISP enabling it for some reason or another, but it shouldn't be" available, he says. It also may be useful in a very small business network, he says, but that comes with this risk of abuse by malicious actors.

The common denominator in most of today's DDoS attacks is the use of the UDP protocol. More than 56% of all DDoS attacks abuse UDP, according to DDoS security vendor Incapsula. Of those, 8% use a protocol popular among Internet of Things devices, SSDP (Simple Service Discovery Protocol) used in gaming consoles and printers, for example.

"A common theme with these attacks is they are obviously taking advantage of UDP … there is no way [for a victim router] to refuse that request" because it's a connectionless protocol, Akamai's Arteaga says.

It's up to the ISPs offering these devices to block port 520 used by UDP, which then would prevent any reflection attacks, he says. And small businesses should use the more secure RIPv2 instead of version 1.

Bottom line: DDoS isn't going away, and attackers are constantly looking for new ways to abuse equipment on the Internet as weapons to attack their targets. "It has constantly increased in activity," says David Fernandez, manager of the PLXsert team. "DDoS has not gone away."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Blog Voyage
50%
50%
Blog Voyage,
User Rank: Strategist
7/2/2015 | 2:57:17 AM
Remember PayPal ?
DDOS is the worst attack you can make IMO. Just remember Anonymous and PayPal... 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/2/2015 | 12:01:46 PM
Re: Remember PayPal ?
What's most disturbing about DDoS, in my humble opinion, is how it's used as a cover for a more nefarious attack. 
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
CVE-2019-19635
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19636
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.