DDoS Attackers Exploiting 80s-Era Routing Protocol

  /     /     /  
Publicated : 22/11/2024   Category : security


DDoS Attackers Exploiting 80s-Era Routing Protocol


Latest wave of DDoS attacks abuses small office-home routers via the 27-year-old, outdated Routing Information Protocol Version 1 (RIPv1).



An outdated and long-forgotten routing protocol is the latest weapon in a wave of distributed denial of service (DDoS) attacks executed via home and small business routers in the past two months.
Akamai Technologies Prolexic Security Engineering & Research Team (PLXsert)
today issued a threat advisory
 warning of a surge in DDoS attacks using the Routing Information Protocol version one (RIPv1) to wage DDoS reflection and amplification attacks. The 27-year-old routing protocol, which allows routers in a small network to share route information, has since been updated with a newer more secure version, but the older version 1 remains in use in many small office/home office router models.
While some 2,000 SOHO routers so far have been used in this new attack campaign, Akamai also found around 53,000 routers with RIPv1 enabled and vulnerable to the very same attack, mostly Motorola Netopia 2000 and 3000 series devices in the US. The main ISP running those RIPv1-enabled routers was AT&T.
The biggest attack spotted so far: around 12 gigabits-per-second. That was just using a limited number of resources [routers], says Jose Arteaga, senior security researcher with Akamai PLXsert. We found a good number of devices available with this protocol open. Our concern there is if malicious actors continue to scan or incorporate more devices in this attack, attacks can grow to be quite large. They could reach 100-gig or more.
Artiago says theres been no specific industry targeted in the attacks at this time, and the attacks are originating mostly out of Europe and most likely a DDoS-for-hire operation, he says. The main sources include the Russian Federation (39%), China (19%), and 15% in Germany and Italy.
[New data from an Internet-scanning project shows vulnerable consumer and enterprise systems remain a big problem on the public Net. Read
No End In Sight For Exposed Internet Of Things, Other Devices
.]
Unlike its successor RIPv2, RIPv1 doesnt have an authentication feature, so routers communicating via RIPv1 arent vetted and authenticated, leaving them open to abuse. This isnt the first time RIPv1 has been abused for a DDoS attack. The PLXsert team spotted similar attacks nearly two years ago but those attacks basically exploited it for a query flood, not a reflection attack, where traffic is redirected from an innocent device to a target on the network, Arteaga says.
RIPv1 Not Resting In Peace
The good news is that RIPv1 is not enabled by default on enterprise-grade routers. So why is it left open on some SOHO routers? Could be an ISP enabling it for some reason or another, but it shouldnt be available, he says. It also may be useful in a very small business network, he says, but that comes with this risk of abuse by malicious actors.
The common denominator in most of todays DDoS attacks is the use of the UDP protocol. More than 56% of all DDoS attacks abuse UDP,
according to DDoS security vendor Incapsula
. Of those, 8% use a protocol popular among Internet of Things devices, SSDP (Simple Service Discovery Protocol) used in gaming consoles and printers, for example.
A common theme with these attacks is they are obviously taking advantage of UDP … there is no way [for a victim router] to refuse that request because its a connectionless protocol, Akamais Arteaga says.
Its up to the ISPs offering these devices to block port 520 used by UDP, which then would prevent any reflection attacks, he says. And small businesses should use the more secure RIPv2 instead of version 1.
Bottom line: DDoS isnt going away, and attackers are constantly looking for new ways to abuse equipment on the Internet as weapons to attack their targets. It has constantly increased in activity, says David Fernandez, manager of the PLXsert team. DDoS has not gone away.

Last News

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
DDoS Attackers Exploiting 80s-Era Routing Protocol