Archive for August 8th, 2012
We’ve seen a number of very large DDoS attacks recently the latest one this morning, which we where able to capture in progress.
After analysing the captures it looks like RIPv1 provides a source vector for a massive amplification attack, where a small set of spoofed source address packets result in the RIPv1 processes on the remote hosts sending significantly larger responses to the target (spoofed address).
In our data we’ve seen over 16KB responses from a single 20 byte packet so an amplification factor of 820 or more, but that isn’t even the limit.
What appears to be happening is the attacker is sending RIPv1 request for a full routing table (UDP port 520), which reading RFC1058 seems to only require a 20 byte packet, with spoofed source address UDP packets to a large number routers known to be running RIPv1.
With this level of amplification it takes very little bandwidth to saturate even high capacity lines e.g. your average high speed DSL can saturate a 1Gbps line.
ACL’s on the border routers blocking UDP packets from source address port 520 is one way to limit the effects of this but the only fix is for all routers to only accept valid requests or for the protocol to be updated to include a handshake which is never going to happen 🙁