DDoS traffic

Akamai has recently published a new cybersecurity threat advisory through its Prolexic Security Engineering & Research Team (PLXsert). The advisory warns of an increasing use of the outdated Routing Information Protocol version one (RIPv1) for reflection and amplification attacks.

You may already be familiar with the term of DDoS or Distributed Denial of Service. You may, personally, have encountered inaccessible servers or websites due to this type of attack. In a nutshell, DDoS happens when multiple compromised systems (network of computers called ‘botnet’) are used to flood the bandwidth or resources of a targeted server(s) or system with traffic. Incoming traffic can flood a targeted system from different sources and therefore can be tricky to stop simply by blocking IPs as it is difficult to distinguish legitimate user traffic from malicious traffic.

So what’s RIPv1?

RIPv1 is a fast and easy way to dynamically share route information via a small, multi-router network. A typical request is sent by a router running RIP when it is first configured or powered on. Any device listening for requests will respond with a list of routes and updates that are sent as broadcasts.

DDoS traffic
Source: Akamai

Akamai finds it puzzling that RIPv1 has re-emerged after more than a year of dormancy. The first version of RIP protocol was introduced in 1988, more than 25 years ago under RFC1058. It’s obvious that attackers are exploiting their familiarity with this presumed abandoned DDoS reflection vector. Leveraging the behaviour of RIPv1 to launch a DDoS reflection attack is apparently quite simple for an attacker. The attacker can easily send a normal broadcast query with a malicious query as a unicast request, directly to the reflector. The IP can then be spoofed to match the intended attack target.

READ ALSO  Mozilla Firefox Focus now for Android: Private browsing, ad-blocking
DDoS Digital Map
Sample chart of DDoS attacks in July 2015 published by Digital Attack Map

With a typical payload size of just 24 bytes, attackers can flood a target with just a small request. Therefore, attackers prefer routers with large amount of routes in the RIPv1 database.

The PLXsert team studied an actual attack against an Akamai customer that happened on 16 May 2015. Data showed that devices leveraged for the RIP reflection attack were likely not using enterprise-grade routing hardware. The team warns that RIPv1 is working as designed and malicious parties will continue to exploit this method as it is fast and easy.

To mitigate this threat, Akamai advises a switch to RIPv2 or later, to enable authentication. It is also advisable to use an access control list (ACL) to restrict User Datagram Protocol (UDP) source port 520 from the internet.

Akamai continues to monitor ongoing campaigns using RIPv1 to launch DDoS reflection attacks.

Want to read more about threats and mitigation techniques? Download a free copy of the threat advisory at www.stateofinternet.com.



  • Designer. Writer. Webhead. Tech geek. Twitter-addict. Apple. Animal lover. Steve Jobs groupie. Petrolhead. BMW. Porsche. Alfisti. Chelsea FC.

  • Show Comments (0)

You May Also Like


NVIDIA Opens GPU R&D and Compute-Solution Center in Malaysia with MIMOS

Oct. 19, 2012—NVIDIA recently launched Southeast Asia’s first GPU R&D and Compute-Solution Center in ...


MSC Cyberport City in Iskandar Malaysia to Start Phase 1 Development in Early 2014

At the Asia-Pacific Outsourcing Summit 2013 (APOS), Iskandar, Johor, MSC Cyberport Sdn Bhd announced ...

Maxis ONERetail

Maxis launches ONERetail, complete digital solutions suite for retail industry

It’s 2018. Yet, almost 70 percent of SMEs in Malaysia don’t have an online ...

Security breach

A recipe to avoid becoming the next headline

A security breach can be costly. Here are some best practices to make you ...

Maxis Wins Platinum Award at Reader’s Digest Trusted Brand 2013 Awards

July 5, 2013 – Maxis has once again been recognised as one of the ...

re:Invent 2018: AWS marketplace for Containers and Private Marketplace available today

At its annual re:Invent learning conference, Amazon Web Services announced two key features for ...