A story about an undead protocol and old junk

Throwing away the old junk makes the environment healthier in every possible sense.

Threatpost had a thought-provoking story last week about the sudden “resurrection” of an ancient and long-deprecated network protocol aptly named RIPv1. The whole situation is reminiscent of the medieval legend of revenants and all that vampire/zombie/undead stuff from fiction – something dead that’s suddenly lives again and terrorizes the living. In fact, that RIPv1 protocol had been used to launch a potent DDoS-attack, which the researchers warn may become a much worse problem soon.

RIPv1 is the short name for Routing Information Protocol, which helps small networks share network route information. It’s been around since 1988, but is listed as “deprecated” since 1996, i.e. it is old, vulnerable, and no longer used… mostly.

Unfortunately, there are more than enough devices still responding to RIPv1 queries, and criminals use them to launch their attacks.

According to Akamai, on May 16th an attack had been detected that peaked at 12.9 Gbps. Researchers said that 53,693 devices responded to RIPv1 queries in a scan it conducted. Most of these devices respond with one unique route, making them “regular DDoS reflection sources without additional amplification”.

Only 500 unique sources were identified in the DDoS attack. None of them use authentication, making them easy pickings; as soon as attackers find more sources, the attack will become stronger, accordingly.

“Reflection attacks happen when an attacker forges its victim’s IP addresses in order to establish the victim’s systems as the source of requests sent to a massive number of machines. The recipients of those requests then issue an overwhelming flood of responses back to the victim’s network, ultimately crashing that network. These types of DDoS attacks differ from amplification attacks where publicly accessible open DNS servers are used to flood victims with DNS responses”, writes Michael Mimoso from Threatpost.

Most of the devices responsible for the May 16 attack are located in Russian Federation, China, Germany, Italy, and Spain. “Most of these sources appear to be from out­dated hardware that has been running in home or small-office networks for years,” Akamai’s advisory reads.

So let’s look at the key points. First, there’s an antique protocol; second there are “droves” of devices still running this protocol, and third, at least some of them aren’t even protected with passwords. Here’s the perfect tool for you, attackers. You are welcome.

Obsolete and dangerous

There’s actually nothing new with the problem of old software and hardware outliving its safety. “Don’t touch it as long as it works” and “Old and proven” are very common paradigms among both individual users and businesses alike. Especially the latter.

Examples at hand: Windows XP was still in very wide use when Microsoft dropped its support last year. And, by that time, XP was 13-years-old. The bugs in XP were being discovered all along the way.

A lot of decades-old technologies are still being used on the Web. And a multitude of long-obsolete devices are working online. We can’t get along without some of those technologies, but totally obsolete and well-replaceable software and equipment are sometimes a border-line cyberthreat on their own.

Forgotten junk

This is especially true with routers and other “setup-and-forget” kinds of equipment. Once they are installed in the network, people tend to ignore them unless something goes wrong, and even then routers aren’t high on the suspect list.

In the particular case of RIPv1, the very use of the device still running this protocol is a gift to hackers and DDoS-mongers. And keeping these routers unprotected without a password is a strong no-no in the security area. The protocol itself is old and vulnerable, a “thing that should not be” around for so long. So why allow it to be abused, damaging other people and businesses?

In an ideal world, businesses would be doing regular cleanups of their cyberinventory replacing things that are really old and reliably insecure, even if they are still working. In reality, it occurs less often than desired.

But then again, throwing away the old junk makes the environment healthier in every possible sense. As well as setting passwords properly.