Attackers won’t let RIPv1 rest in peace.
Attackers continue to search for obsolete protocols that are no longer used but still running on networked computer systems in order to abuse them as denial of service amplifiers.
Content delivery network firm Akamai’s PLXsert security team discovered that the routing information protocol version 1, introduced in 1988, was used in a denial of service attack against its customers in May this year.
RIPv1 was designed for small networks in the early internet era. It broadcasts lists of routes and updates to devices listening for RIPv1 information.
A small, 24-byte RIPv1 request with a forged source IP address can result in multiple, 504-byte response payloads, creating a large amount of unsolicited traffic directed towards victims’ networks and flooding them.
Attackers were in particular looking for routers that contain large amounts of routes in the RIPv1 database, so as to maximise the traffic volumes and damage done to target networks.
Internet luminaries disagree however as to how much of a threat RIPv1 represents.
APNIC chief scientist Geoff Huston told iTnews RIPv1 is late 80s technology that routes the now abandoned Class A/B/C network address structure.
“I find it hard to think that RIPv1 is connected to the global internet and that there are enough of them out there to constitute a real threat,” Huston said.
Finding even one site in 2015 that is running RIPv1 is “like discovering a Ford Model T on the streets still in working order,” Huston said.
Director of architecture for internet performance company Dyn, Joe Abley, pointed out that the problem is not that operators use RIPv1 for routing, it’s that administrators leave RPv1 turned on.
The protocol has been unsuitable for the past two decades because it doesn’t work with classless inter-domain routing.
“Just because you no longer have any use for a protocol doesn’t mean you always remember to turn it off,” he told iTnews.
“What is happening is that ancient systems that have been hidden in dark corners for decades are suddenly jumping out into the sunlight and running amok because someone realised they could provoke them into bad behaviour, from a distance.”
He said there are end-systems connected to the internet that support the ancient routing protocol and which have it turned on by default. Old Sun Microsystems Solaris servers are examples of such systems that are now being abused as packet amplifiers in denial of service attacks.
RIPv1 does not use authentication, leaving it wide open to anyone on the internet to connect to.
The attack is not fundamentally different from reflection attacks using the domain name system, chargen, simple network management protocol, or any one of a variety of user datagram-based protocols, Abley said.
“This attack is not new and special really, although the fact that it uses RIP certainly brings a roguish twinkle to this aged network administrator’s eye,” he said.
It can however cause large traffic floods.
“Akamai’s Prolexic team have seen attacks that delivered over 10 gigabit per second of traffic towards a single victim,” Abley said.
“I wouldn’t categorise that as ‘not really a problem’, especially if I was the one on the receiving end.”
Abley said as with most amplification attacks, “poking the bear from a great distance relies upon being able to fake the source address of the stick.”
There would be fewer opportunities for this happen if network operators followed the advice in Internet Engineering Task Force best current practice documents such as BCP38, which details network ingress filtering and similar texts to protect their networks.