Akamai Identifies Old Protocol in New DrDoS Attacks

An old protocol found in SOHO routers may be responsible for recent DrDoS attacks, says the security steam at Akamai.

Akamai, through the company’s Prolexic Security Engineering & Research Team (PLXsert), issued an alert today for an old protocol that could be used in Distributed Reflection Denial of Service attacks (DrDoS) attacks.

Routing Information Protocol v1 (RPIv1) allows routers in small networks to share route information. For example a router running RIPv1 would send a request over UDP 520 when it is first powered on and other devices on the network, listening for this request, would send the new router a list of routes. In this case the list of routes would be sent instead to a designated target. It has since been replaced with RIPv2 but many older units still have RIPv1 enabled by default.

“This version of the RIP protocol was first introduced in 1988 – more than 25 years ago under RFC1058,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai, said in a release. “While the resurgence of RIPv1 after more than a year of dormancy is puzzling, it’s clear that attackers are exploiting their familiarity with this thought to be abandoned DDoS reflection vector.”

Reflection attacks typically take advantage of challenge-response authentication systems, assuming the same protocol is used on both sides. Request responses are redirected, or reflected, from the hosts to the target. In this case the attacker would craft a request but spoof the IP address to a target that would receive the authentication request.

In attacks seen over the last two month, Akamai said that attackers preferred routers with large amounts of routes in their RIPv1 routing table. This results in multiple 504-byte payloads being sent to a target IP per a single request.

Akamai says when calculating the amplification factor, including IPv4 headers, the resulting amplification for a single RIPv1 request would be 131.24 (over 21,000%). This of course varies based on the number of routes in the router’s table. The peak bandwidth from these attacks, so far, is 12.8 Gigabytes per second.

The routers affected appear not to be enterprise grade but Small Office Home Office routers. Akami cautions that the SOHO routers are not to blame; the RIPv1 is working as designed. Only malicious actors have exploited this for amplification and reflection.

Akamai found a total of 53,693 routers on the Internet that responded to RIPv1 requests. Not all are suitable for amplification but could still be used for reflection attacks. An attack on one of Akami’s customers on May 16, 2015, used only 500 unique sources, however, these all returned the larger 504-byte packets so they may have been specially chosen. In looking across the Internet at the affected routers, Akamai found the top three devices were Netopia-3000/2000, ZTE ZXV10, and TP-LINK TD-8xxx. The Netopia routers are used in the US by AT&T.

However, the May attack used sources mostly out of Europe and Asia, specifically from Russia, China, Germany, Italy and Spain. Hence, the warning that untapped resources in the United States could be soon be used for amplification and reflection attacks.

Akamai said that most of the sources appear to be from out-dated hardware used for SOHO networks. The argument is valid; if the router still works, why replace them with newer units? ISPs, such as AT&T, are in a position to clean up this problem. For example, the service could use an access control list (ACL) to limit UDP port 520 (which RIPv1 uses) access to the Internet. Or switch everyone to RIPv2. Another option would be to replace the outdated routers in the home and office.