Akamai's Prolexic Security Engineering & Research Team (PLXsert) has been monitoring an uptick in a form of DDoS reflection thought to be mostly abandoned. This attack vector, which involves the use of an outdated routing protocol in RIPv1, began showing up in active campaigns again on May 16th after being dormant for more than a year. The latest attacks observed, as described later, are apparently making use of only a small number of available RIPv1 source devices.
RIPv1 was first introduced in 1988 under RFC1058, which is now listed as a historic document in RFC1923. The historic designation means the original RFC is actively deprecated. One main reason for this is that RIPv1 only supports classful networks. So if the network advertised by RIPv1 happens to be a class A network such as 10.1.2.0/24, this will be sent in an advertisement as 10.0.0.0/8. This among other things, further limits the usefulness for RIPv1 as a viable option for internal networks much less the internet.
Anatomy of an attack
Routing Information Protocol version 1 has been available for many years now. RIPv1 is considered to be a quick and easy way to dynamically share route information in a small multi-router network.
A typical router communication would appear as shown in the table below. A request is sent by a router running RIP when it is first configured or powered on. Any other device listening for the requests will respond to this request with a list of routes. Updates are also sent periodically as broadcasts.
Router initial request for routes(sent as broadcast):
15:53:50.015995 IP 192.168.5.2.520 > 255.255.255.255.520: RIPv1, Request, length: 24
Listening router response for routes(sent as a unicast reply to request IP):
15:53:50.036024 IP 192.168.5.1.520 > 192.168.5.2.520: RIPv1, Response, length: 24
Regular periodic update sent every 30 seconds by default(broadcast):
15:54:26.448383 IP 192.168.5.1.520 > 255.255.255.255.520: RIPv1, Response, length: 24
To leverage the behavior of RIPv1 for DDoS reflection, a malicious actor can craft the same request query type as above, which is normally broadcast, and spoof the IP address source to match the intended attack target. The destination would match an IP from a list of known RIPv1 routers on the internet. Based on recent attacks, attackers prefer routers which seem to have a suspiciously large amount of routes in their RIPv1 routing table.
This query results in multiple 504 byte payloads sent to a target IP per a single request. The multiple responses are also a result of the 25 route max that can be contained in a RIP packet.
For victims of this attack, i.e. reflector sources, there are several ways to avoid becoming a victim of this attack method.
- Switch to RIPv2 or later and enable authentication.
- If RIPv1 is required, assess the need to expose RIP on your WAN interface. If it's not needed the WAN side interface should be marked as a passive interface (where supported).
- Access to RIP can also be restricted via ACL to only allow known neighbor routers.
- For target's of a RIPv1 reflected DDoS, an ACL can be used to restrict UDP source port 520 from the internet.
- If the attack is too large it may require a DDoS mitigation provider such as Akamai Technologies.
You can download the full advisory from this page.