Scans of the internet reveal that over fifty three thousand IPs respond with dilapidated devices operating the ancient RIPv1 protocol. This deprecated protocol was implemented before much care
was given to the proliferation of spoofed UDP attacks. It hails from a time before classless internet address routing, and long before the surging threat of ddos that we know today.

If you operate a network, we strongly advise that you drop traffic on port 520. There is no feasible use for RIPv1 in today’s public internet, except for abuse.

The vast majority of these devices are soho routers, running firmware that is unlikely to ever be updated. In the past, we have seen servers operating vulnerable versions of services such as NTP and DNS. However, many of these servers have the benefit of a system administrator – and they eventually are patched. Conversely, soho routers are commonly forgotten, left to run in a dark closet.

Out of sight, out of mind.