DDoS attack of RIPv1 on old routers

RIPv1 was for the first time provided in "historical" RFC1045 (the original specification is not supported any more). The protocol supports only class routing. Thus, if the network announced on RIPv1 belongs to the class "A" (for example, 10.1.2.0/24), then really sent announcement will look as 10.0.0.0/8. It, among other things, considerably limits application of RIPv1 by internal networks, it is of little use for the Internet.

The main characteristics of the considered attack

• traffic volume: up to 12.8 Gbit
• packets per second: up to 3.2 million
• attack vector: amplification of RIPv1
• outgoing port: UDP: 520
• the entering port: accidental

RIPv1 protocol (Routing Information Protocol, version 1) exists many years and it is considered a fast and easy method of information exchange about routes in small network with several routers.

The router supporting RIP sends a request at initial setup or at power supply inclusion. Any other device accepting such requests will answer with the list of routes. Updates of the table of routes are periodically sent broadcasting (broadcast).

To change behavior of RIPv1 for carrying out DDoS attack, the malefactor can send the same request, having changed outgoing for the IP address of a subject to the attack. Addressees are selected on in advance prepared list of routers with support of RIPv1 which have suspiciously large number of routes in tables.

As a result of a single request a large number of the packets with 504-byte loading sent to the attacked address is generated. To one request several answers because of restriction can go to 25 routes to one RIP packet.

On the below-mentioned listing RIP answers are taken from the real attack. From attacked only replies to the requests of RIPv1 which it, certainly, did not do are visible.

Examples of loading

The typical request of RIPv1 contains 24 bytes. The provided answer contains 504 bytes. This specific router answers with ten answers on 504 bytes and one in 164 bytes.

At calculation of gain amount on the above-stated requests, considering headings Ipv4 [IP(IP (10)UDP10) of UDP(8)], final gain for a single request of RIPv1 makes 131.24 (more than 13,000%). The coefficient will change depending on quantity of routes in the table of the router. During the first attack, the most part of routers responded with multiple 504-byte responses to each request.

Superficial scanning of sources of the attack allows to assume that the victims used for creation of the storm RIP otvetov used primitive routers (class SOHO). RIPv1 implemented on them works according to the specification, malefactors just use its features in the purposes.

RIPv1 "poisoning"

Whether the malefactor can raise in addition gain amount, having forced the router to learn new routes? The idea seems implementable. NO is three pacing factors preventing effective use of such scenario in DDoS attacks.

The first factor - the "splitting of the horizon" used by default on some devices supporting RIPv1. Simply speaking, the router receiving updating of routes will not send it back via the same interface via which it received. It means that the device connected to the Internet will not send to subject to the attack false routes. However, it will update these routes when they become outdated to the 16th metrics.

From here other overwhelming factor follows. Tables of routes are often cleaned, and too old routes will long not remain. With their obsolescence the next updating that the router saved them will be required. For example, in Cisco devices, the routes which arrived with an injection will not seem, should not used yet (a metrics 16) and will remain only 1 minute after are marked not used then will be erased from the table of routes.

Thus, continuous regular updates will be required to support "poisoning" of tables. The need for the repeating injections leads to falling of gain amount as instead of a single 24-byte request it is necessary to send multiple announcements to 504 bytes everyone (depending on number of routes to injections) to support tables of routes in a status necessary to the malefactor.

The third problem is that the answers of RIPv1 coming from the networks which are not connected with the router directly will be ignored. Means, the address of a source of updates should be forged so that to snare, directly connected with the "poisoned" router that updating was at least just accepted.

All this together does attempts of poisoning of tables of routes of RIPv1 unprofitable and unattractive for the malefactor.

In the presence of local access to the device (router), routes can be manipulated within opportunities of the device. Such scenario is possible in case management of a marshturizator is available with credentials by default or in general without user credentials. Such defects in configuring of routers meet more often than it would be desirable.

The considered attack

The attack on May 16, 2015, with peak load of 12.81 Gbit and 3.2 million packets per second. In the table of the loading below broken on geographic location of sources of traffic it is visible that the greatest traffic came from Europe. London and Frankfurt recorded, in the amount, up to 4.75 Gbit.

Results of scanning of RIPv1 on the Internet

According to Akamai, in total 53,693 devices responded to RIPv1 requests on the Internet. Though many of them are unsuitable as DdoS amplifiers, all of them are equally vulnerable for reflection and other attacks, because of low security of the protocol. In general, about 500 unique sources sending 504-byte answers were identified.

The majority of 53,693 possible sources answer with the only route — that it does them by normal "reflectors", without additional gain.

Considering the sizes of answers RIPv1 received on the Internet rather large number of the devices providing at least small gain amount is visible. It was succeeded to identify 24,212 devices providing gain not less than 83%. In the table 5 most widespread lengths of the packets received when testing are included below.

Other interesting find — that the detected implementations of RIPv1 when receiving incorrectly structured request answer with the message which does not contain real information on their routing tables. Though it also levels gain, reducing the attack to simple reflection, such effect can be used for masking of an original source of harmful traffic.

The revealed addresses were sorted for determination of models of devices. From 53,693 devices which responded to a request more than 20,000 also listened to TCP port: 80 (often used by the web interface of the administrator). An attempt to take and write results of requests in search of information leak for models was made (authentication requests, the headings HTTP, model numbers on start pages, etc.). Three most widespread devices (among detected) supporting RIPv1 are given below. Netopia devices probably the old equipment which gained distribution to times of a boom of ADSL.

The following drawing shows distribution by providers (on the basis of answers of whois) the addresses of the detected Netopia devices. Most of them is used by clients AT&T.

The majority of devices geographically are in the USA, as shown in the following drawing. As it was mentioned above, the sources of harmful traffic recorded at the recent attacks generally were in Europe. It means that there is considerable potential (still uninvolved) resource which can be used for the attacks with gain and reflection.

Distribution of sources of traffic by the countries is shown in the following drawing. The fact that each of them in response to a request reports unusually large number of routes integrates them.

The recommended measures of protection

For the victims of such attacks, for example, of sources of the "reflected" traffic, there are several ways of protection against this method.

Transition to RIPv2 or later, using authentication.

If RIPv1 is necessary, to review need for support of RIPv1 on external interfaces. If there it is not necessary, to mark external interfaces as passive for RIPv1 (where such function is supported).

Access to RIP can also be limited through ACL, having permitted access only to the known routers.

Subjects to the attack by the reflected traffic of RIPv1 can use ACL for traffic prohibition from outgoing port UDP: 520 on the Internet. If the attack too powerful, then services of provider of protection against DdoS can be required.

Outputs

The list of possible attack vectors is not small, and it is more difficult to control some other in a type of their universal distribution (for example, DNS, SSDP). As it was already told, RIPv1 have certain opportunities to remain an attractive resource for the organization of DDoS attacks. The majority of sources of this resource - the outdated routers working for years in apartment houses or home offices.

A large number of Netopia devices well illustrates it. Providers will not replace earlier installed equipment if it regularly performs the functions. If there are no problems — why to change something?

Thus, the devices supporting outdated protocols and containing the known vulnerabilities in the software function. On this situation the greatest impact will be had by providers. First of all, it is necessary to close UDP port: 520 from outside Internet. It considerably will reduce sales opportunity of the described DDoS attacks. Other option, more expensive, consists in the organization of upgrade of the client equipment, its replacement by new routers (with correct configurations); it will be especially relevant for devices which any more are not supported by producers.

Adapted translation is prepared by technical specialists of DDoS-Guard .net company