Akamai Warns of an Uptick in DDoS Reflection Attacks


Akamai Akamai LogoTechnologies, the global leader in content delivery network (CDN) services, has published, through the company’s Prolexic Security Engineering & Research Team (PLXsert), a new cyber security threat advisory. The threat is related to the increasing use of outdated Routing Information Protocol version one (RIPv1) for reflection and amplification attacks. The advisory detailing this threat in full is available for download here: http://www.stateoftheinternet.com/ripv1-reflection-ddos

What is RIPv1?

RIPv1 is a fast, easy way to dynamically share route information using a small, multi-router network. A typical request is sent by a router running RIP when it is first configured or powered on. From there, any device listening for the requests will respond with a list of routes and updates that are sent as broadcasts.

“This version of the RIP protocol was first introduced in 1988 – more than 25 years ago under RFC1058,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “While the resurgence of RIPv1 after more than a year of dormancy is puzzling, it’s clear that attackers are exploiting their familiarity with this thought-to-be-abandoned DDoS reflection vector. Leveraging the behaviour of RIPv1 to launch a DDoS reflection attack is quite simple for an attacker – by using a normal broadcast query, the malicious query can be sent as a unicast request directly to the reflector. The attacker can then spoof the IP address source to match the intended attack target – causing damage to the network.”

Using RIPv1 to launch a DDoS reflection attack

The PLXsert team’s research shows that attackers prefer routers with a large amount of routes in the RIPv1 database. Based on this research, most of the attacks recognized had queries that resulted in multiple 504 byte response payloads sent to a target with a single request. A typical RIPv1 request contains only a 24 byte payload, which proves that the attackers are getting a large amount of unsolicited traffic flooding their intended target with a small request. 

The team studied an actual attack against an Akamai customer that took place on May 16, 2015. Research and non-intrusive scanning of the attack revealed that the devices being leveraged for the RIP reflection attack were likely not using enterprise-grade routing hardware. The team warns that RIPv1 is working as designed and malicious actors will continue to exploit this method as an easy way to launch reflection and amplification attacks.

Threat mitigation

To avoid a DDoS reflection attack using RIPv1, consider one of the following techniques:

  • Switch to RIPv2, or later, to enable authentication
  • Use an access control list (ACL) to restrict User Datagram Protocol (UDP) source port 520 from the Internet

Akamai continues to monitor ongoing campaigns using RIPv1 to launch DDoS reflection attacks. To learn more about the threat, and mitigation techniques, please download a complimentary copy of the threat advisory at www.stateoftheinternet.com.

About Akamai

As the global leader in Content Delivery Network (CDN) services, Akamai makes the Internet fast, reliable and secure for its customers. The company’s advanced web performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and entertainment experiences for any device, anywhere. To learn how Akamai solutions and its team of Internet experts are helping businesses move faster forward, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.


Comments are closed.

Visit Us On TwitterVisit Us On FacebookVisit Us On LinkedinVisit Us On Youtube