Routing Information Protocol (RIP), an obsolete network routing protocol dating from the late '80s, is being employed to launch DDoS reflection attacks against various parties, according to a report released by Akamai Technologies' Prolexic Security Engineering & Research Team (PLXsert).
The attack leverages version 1 of RIP, still found in many home and small-office routers. One such attack, carried out on May 16, created over 12.8Gbps of traffic -- and that made use of "only a small number of available RIPv1 source devices," according to Akamai.
RIP was used to share route information between devices in a small network that uses multiple routers. When a router is powered on, it sends an RIP request on port 520. Any devices listening on that report respond with a route table. By simply modifying the RIP request to include the IP address of the intended victim, any number of routers can be used to bombard someone with spurious routing-table responses.
Akamai claims that 53,693 devices on the Internet responded to RIPv1, although only a small number of them were actually leveraged for the attack. This was mainly because those few routers responded with large routing tables, making it easier to craft a sizable attack with them -- but Akamai did note that "as attackers discover more sources, it is possible that this vector has the potential to create much larger attacks than what we’ve observed thus far."
Akamai claims many of the routers leveraged for the attack were "running custom SOHO router firmware," such as DD-WRT. One of the professed advantages of running custom open-source firmware is being able to upgrade hardware after its manufacturer has officially stopped supporting it, but clearly the mere presence of open firmware doesn't do the trick alone.
Legacy protocols have long been identified as a hazard to the health and safety of the Internet, but replacing them -- even a lesser-used protocol like RIP -- isn't trivial work. RIP is one of the few such protocols that does have a replacement, even if only in the form of a newer version of the protocol.
But upgrading the protocol (or router firmware) isn't what Akamai recommends to mitigate this attack. Instead, "the ISPs would likely have the biggest impact on cleanup efforts." To that end, Akamai suggests that ISPs simply block access to UDP port 520 entirely on the open Internet -- a move that would have little negative impact on most end users and would benefit everyone.