Network Security

Saboteurs leverage RIPv1 for DDoS reflection attacks


Recent distributed denial-of-service (DDoS) attacks were executed by attackers leveraging an outdated routing protocol in RIPv1, a security firm warned.

Introduced in 1988, Routing Information Protocol version 1 (RIPv1) is known as a “quick and easy way to dynamically share route information in a small multi-router network,” Akamai's Prolexic Security Engineering and Research Team (PLXsert) explained in a Wednesday threat advisory (PDF). But saboteurs were able to “leverage the behavior” of the protocol to carry out DDoS reflection attacks, which Akamai observed against some of its customers on May 16.

At its peak, the DDoS campaign hit a bandwidth high of 12.8 gigabits per second and 3.2 million packets per second, the advisory revealed.

“Based on recent attacks, attackers prefer routers that seem to have a suspiciously large amount of routes in their RIPv1 routing table,” Akamai noted. “This query results in multiple 504-byte payloads sent to a target IP per a single request. The multiple responses are also a result of the 25-route max that can be contained in an RIP packet.”

In a Wednesday interview with, Jose Arteaga, senior security researcher at PLXsert, said that the RIPv1 attack vector was “perfect for [DDoS] reflection in that an attacker can easily spoof the source of a request and have that reflected back to the target.” He added later that the ultimate target of the DDoS attacks were likely websites, though the PLXsert team has not observed a specific industry being hit by the campaigns.

“Pretty common to what we've seen with other reflection methods – it's just something that's so accessible, the attackers will [target] anything,” Arteaga explained.

Through an internet scan, Akamai found that, of the 53,693 devices on the internet responding to RIPv1 queries, “only a handful”  were being leveraged for attack (500 unique sources were identified in attack-traffic samples), the advisory said. The firm also noted the top three router models running RIPv1 – Nepotia-3000/2000 routers, ZTE ZXV10 routers and TP-Link TD-8xxx routers – and found that, during the May 16th attack, most traffic originated from sources in Europe.

Researchers advised users to mitigate attacks by switching to RIPv2 or later, and enabling authentication. And if RIPv1 must be used, restrict its access via Access Control Lists (ACLs) “to only allow known neighbor routers,” the advisory said.

“…There is little reason for RIPv1 to continue as an available resource for DDoS attacks,” the advisory continued. “Most of these sources appear to be from outdated hardware that has been running in home or small-office networks for years.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.