RIPv1 Routing Protocol Reflection DDoS Attacks
Image credits: Prolexic Security Engineering and Research Team

RIPv1 Protocol

RIPv1, the short form of routing Information protocol first version, is a long-deprecated routing protocol used still in some home office and small business routers. It has been discontinued since 1996.

Old, Yet has Massive Potential For DDOS Attacks

As observed by the researchers at Akamai’s Prolexic Security Engineering and Research Team (PLXsert), hackers were able to produce a DDOS attack peaked at 12.9 Gbps just by using 500 out of 53,693 devices which still uses the RIPv1 protocol. Imagine the power if they leveraged all the vulnerable devices !! Further, the unused devices could be put to work in larger and more distributed attacks.

Reflection attacks

The attacker forges its victim’s IP addresses in order to establish the victim’s systems as the source of requests sent to a massive number of machines. The recipients of those requests then issue an overwhelming flood of responses back to the victim’s network, ultimately crashing that network.

List Of Vulnerable devices

It would be a better idea to check if your old router falls into any of these series and if yes it's time to upgrade. Netopia 2000 and 3000 series routers are still running the vulnerable and ancient RIPv1 protocol on devices. Also, more than 5,000 ZET ZXv10 and TP-Link TD-8000 series routers collectively are vulnerable. Most of the Netopia routers are issued by AT&T to customers in the U.S. BellSouth and MegaPath also distributes the routers so it would be wise to check them too.

Remedial Measures

The depreciated RIPv1 protocol is the culprit here, doesn't obviously the first solution would be to switch to RIPv2 or a later version. Turn on authentication -this attack leverages devices don't ask for authentication. Restricting RIP access through an access control list and allowing only known routers through is also suggested.

Post a Comment