ripreflection

Explanation

RIP reflection is a type of DDoS attack that exploits the Routing Information Protocol (RIP). The attacker sends malformed requests to a device that runs RIP, and the device responds with unsolicited packets to the target network, resulting in a flood of traffic that overwhelms the network. The ripreflection event is designed to detect this type of attack.

What to Look For

If the ripreflection event is triggered, it is important to examine the traffic on the network to identify the source of the attack. Look for excessive amounts of traffic with source IP addresses that are not legitimate, as these may be part of the attack. Additionally, investigate any endpoints that may be involved in the attack to determine if they are compromised or have any vulnerabilities that could be exploited. Remediation steps should include updating and patching affected devices and blocking and/or filtering traffic from suspicious sources.

Related MITRE ATT&CK Categories

Endpoint Denial of Service, Technique T1499 - Enterprise