The original specification of RIP (Router Information Protocol), defined in RFC 1058 was published in 1988. This protocol was intended to facilitate route sharing on small networks. Although deprecated since 1996, the protocol is now making news. Many old routers used by home and small offices still use RIPv1. This was an insecure protocol since routers that used it did not enforce authentication and therefore was superseded by next generation protocols.
RIPv1 is UDP-based, which makes it an easy target for spoofing. Any hacker can send a RIPv1 request to a router on the Internet as though it was sent from a target machine. Many of these old routers expose RIP on the WAN interface unnecessarily and allow RIP access to any IP. When the router receives the request, it responds back to the target machine thinking the request came from there. The source of the original request can be spoofed.
With a 24 byte payload of request, the response can be a multiple of 504 bytes depending on how many routes were defined on the router. This makes it a candidate for amplification attacks.
While other vendors suggest switching the routers to RIPv2 and implementing ACL, a web-facing property may not itself be running RIPv2 but be a target from those routers in the wild.
To leverage the behavior of RIPv1 for DDoS reflection, a hacker creates a RIPv1 request as above, which is normally broadcast, and spoofs the IP address source to match the intended attack target. The destination would match an IP from a list of known RIPv1 routers on the internet. Based on recent attacks, attackers prefer routers which seem to have a suspiciously large amount of routes in their RIPv1 routing table.
FortiDDoS appliances allow you to block these attacks behaviorally. In fact, the appliances are aware not to expect RIPv1 from the Internet since trusted routers should no longer be running this old protocol. Thus, any reflection attack is simply blocked at the perimeter, maintaining network services without issues.
The anatomy of a RIPv1-based DDoS attack is shown in the figure below with a FortiDDoS appliance blocking attacks from the affected router(s).