{"id":15078,"date":"2015-07-09T18:30:52","date_gmt":"2015-07-09T18:30:52","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=4185"},"modified":"2019-11-15T07:03:26","modified_gmt":"2019-11-15T12:03:26","slug":"a-story-about-an-undead-protocol-and-old-junk","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/a-story-about-an-undead-protocol-and-old-junk\/15078\/","title":{"rendered":"A story about an undead protocol and old junk"},"content":{"rendered":"

Threatpost had<\/a> a thought-provoking story last week about the sudden \u201cresurrection\u201d of an ancient and long-deprecated network protocol aptly named RIPv1. The whole situation is reminiscent of the medieval legend of revenants and all that vampire\/zombie\/undead stuff from fiction \u2013 something dead that\u2019s suddenly lives again and terrorizes the living. In fact, that RIPv1 protocol had been used to launch a potent DDoS-attack, which the researchers warn may become a much worse problem soon.<\/p>\n

RIPv1 is the short name for Routing Information Protocol, which helps small networks share network route information. It\u2019s been around since 1988, but is listed as \u201cdeprecated\u201d since 1996, i.e. it is old, vulnerable, and no longer used\u2026 mostly.<\/p>\n

Unfortunately, there are more than enough devices still responding to RIPv1 queries, and criminals use them to launch their attacks.<\/p>\n

A story about a #RIP protocol and old junk<\/p>Tweet<\/a><\/blockquote>\n

According to Akamai, on May 16th an attack had been detected that peaked at 12.9 Gbps. Researchers said that 53,693 devices responded to RIPv1 queries in a scan it conducted. Most of these devices respond with one unique route, making them \u201cregular DDoS reflection sources without additional amplification\u201d.<\/p>\n

Only 500 unique sources were identified in the DDoS attack. None of them use authentication, making them easy pickings; as soon as attackers find more sources, the attack will become stronger, accordingly.<\/p>\n

\u201cReflection attacks happen when an attacker forges its victim\u2019s IP addresses in order to establish the victim\u2019s systems as the source of requests sent to a massive number of machines. The recipients of those requests then issue an overwhelming flood of responses back to the victim\u2019s network, ultimately crashing that network. These types of DDoS attacks differ from amplification attacks where publicly accessible open DNS servers are used to flood victims with DNS responses\u201d, writes Michael Mimoso from Threatpost.<\/p>\n

Most of the devices responsible for the May 16 attack are located in Russian Federation, China, Germany, Italy, and Spain. \u201cMost of these sources appear to be from out\u00addated hardware that has been running in home or small-office networks for years,\u201d Akamai\u2019s advisory reads.<\/p>\n

So let\u2019s look at the key points. First, there\u2019s an antique protocol; second there are \u201cdroves\u201d of devices still running this protocol, and third, at least some of them aren\u2019t even protected with passwords. Here\u2019s the perfect tool for you, attackers. You are welcome.<\/p>\n

Obsolete and dangerous<\/strong><\/p>\n

There\u2019s actually nothing new with the problem of old software and hardware outliving its safety. \u201cDon\u2019t touch it as long as it works\u201d and \u201cOld and proven\u201d are very common paradigms among both individual users and businesses alike. Especially the latter.<\/p>\n

Examples at hand: Windows XP<\/a> was still in very wide use when Microsoft dropped its support last year. And, by that time, XP was 13-years-old. The bugs in XP were being\u00a0discovered all along the way.<\/p>\n

A lot of decades-old technologies are still being used on the Web. And a multitude of long-obsolete devices are working online. We can\u2019t get along without some of those technologies, but totally obsolete and well-replaceable software and equipment are sometimes a border-line cyberthreat on their own.<\/p>\n

Throwing away the old #junk makes the environment healthier in every possible sense #security<\/p>Tweet<\/a><\/blockquote>\n

Forgotten junk<\/strong><\/p>\n

This is especially\u00a0true with routers and other \u201csetup-and-forget\u201d kinds of equipment. Once they are installed in the network, people tend to ignore them unless something goes wrong, and even then routers aren\u2019t high on the suspect list.<\/p>\n

In the particular case of RIPv1, the very use of the device still running this protocol is a gift to hackers and DDoS-mongers. And keeping these routers unprotected without a password is a strong no-no in the security area. The protocol itself is old and vulnerable, a \u201cthing that should not be\u201d around for so long. So why allow it to be abused, damaging other people and businesses?<\/p>\n

In an ideal world, businesses would be doing regular cleanups of their cyberinventory replacing things that are really old and reliably insecure, even if they are still working. In reality, it occurs less often than desired.<\/p>\n

But then again, throwing away the old junk makes the environment healthier in every possible sense. As well as setting passwords properly.<\/p>\n","protected":false},"excerpt":{"rendered":"

Throwing away the old junk makes the environment healthier in every possible sense.<\/p>\n","protected":false},"author":209,"featured_media":23606,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[1058,1303,2321],"class_list":{"0":"post-15078","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-ddos","10":"tag-networks","11":"tag-protocols"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/a-story-about-an-undead-protocol-and-old-junk\/15078\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/a-story-about-an-undead-protocol-and-old-junk\/15078\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/a-story-about-an-undead-protocol-and-old-junk\/15078\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/ddos\/","name":"ddos"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15078","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=15078"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15078\/revisions"}],"predecessor-version":[{"id":30453,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15078\/revisions\/30453"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/23606"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=15078"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=15078"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=15078"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}