Most CISOs understand the security problems with old network equipment. A new report this week from Akamai Technologies’ security and research engineering team is a reminder of that not only to infosec pros at enterprises but also those at Internet service providers who provide routers to customers.
The report notes that recent distributed denial of service (DDoS) attacks have again started leveraging an outdated routing protocol some older devices still have called RIPv1, which dates back to 1989 . It’s considered to be a quick and easy way to dynamically share route information in a small multi-router network. But in May hackers used RIPv1 for DDoS reflection attacks.
Newer devices running RIPv2 or later aren’t susceptible to this attack. But Akamai research suggests there are enough devices using RIPv1 still connected to the Internet to cause damage.
To leverage it, attackers craft a request query for routes and spoof an IP address source to match the intended attack target. The destination would match an IP from a list of known RIPv1 routers on the Internet. Based on recent attacks, attackers prefer routers that seem to have a suspiciously large amount of routes in their RIPv1 routing table, Akamai research shows. This query results in multiple 504-byte payloads sent to a target IP per a single request. The multiple responses are also a result of the 25-route max that can be contained in an RIP packet. At the target site, the only traffic visible are the unsolicited responses to RIPv1 queries. The replies all source from udp port 520 used by RIP.
At the height of the attack, against an Akamai customer, the peak bandwidth was 12.8 Gigabits per second, with 3.2 million packets per second being fired at the target.
Akamai suggests the affected routers are SOHO devices including Netopia 3000/2000, ZTE ZX V10 and TP-Link TD-8xxx routers. An Internet scan found some 53,690 devices on the Internet responded to RIPv1 queries, many in the U.S. provided or used by AT&T customers. Although many of these devices wouldn’t be suitable as DDoS amplification sources, the report says, they are still otherwise vulnerable to reflection and other attacks due to the inherently weak security offered by RIPv1.
Only about 500 devices were identified in the May attack, the report says, but as attackers discover more sources it is possible it could expand.
Akamai says the vulnerability can be mitigated if organizations switch router information protocol to RIPv2 or later and enable authentication on devices. If RIPv1 is required, it adds, assess the need to expose RIP on your WAN interface. If it’s not needed the WAN side interface should be marked as a passive interface (where supported). Access to RIP can also be restricted via ACL (an access control list) to only allow known neighbor routers.