Distributed Denial of Service attack using RIPv1 vulnerability

Number: AL15-007
Date: July 6, 2015

Purpose

The purpose of this alert is to bring attention to a recent campaign regarding Distributed Denial of Service (DDoS) attacks using a RIPv1 vulnerability.

Assessment

CCIRC is aware of Reflective Distributed Denial of Service (DDoS) attacks being executed using a vulnerability in the RIPv1 routing protocol. RIPv1 protocol has been deprecated since 1996 but many devices are still responding with information by multiples of 504 bytes depending on the number of routes defined in the router, thereby making it a possible protocol for amplification.

Suggested action

CCIRC recommends that owner/operators test and deploy RIPv2 to affected devices. Targets of a RIPv1 reflected DDOS attack could implement, after verifying the impact to their operations, an Access Control List (ACL) to restrict traffic on UDP port 520 from the internet. Victims (those running the vulnerable device) should consider restricting access to the device with an ACL to trusted devices on their networks.

References

https://threatpost.com/attackers-revive-deprecated-ripv1-routing-protocol-in-ddos-attacks/113582
http://blog.fortinet.com/post/ripv1-reflection-attacks-and-fortiddos

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: