Port 520 (UDP) – RIP (Routing Information Protocol)

What runs on port 520?

Port 520 (UDP) carries RIP, the Routing Information Protocol, a classic distance-vector routing protocol. Routers use it to advertise and learn routes by periodically exchanging their routing tables. RIPv1 offers no security at all; RIPv2 adds optional authentication but is frequently deployed without it. RIP is largely superseded by OSPF but still appears in small or legacy networks.

Why it matters for security

RIP's weakness is trust without verification. Because RIPv1 has no authentication and RIPv2 auth is often disabled, a router will believe routing updates from any host on the segment. An attacker who can inject updates rewrites where traffic flows — redirecting it through their machine for interception, dropping it (blackhole), or destabilizing the network. The blast radius is the entire routed path.

How it's attacked

An attacker on a connected segment forges RIP updates on UDP 520 advertising attractive (low-metric) routes. Routers accept the poisoned entries and update their tables, enabling man-in-the-middle interception, traffic blackholing, or denial of service by flooding bogus or excessive routes. With RIPv1 there is nothing to stop this; with unauthenticated RIPv2 it is just as easy.

Hardening checklist

Wherever possible, replace RIP with OSPF or static routes. If RIP is required, use RIPv2 with MD5/cryptographic authentication, configure passive interfaces so updates are not accepted on user-facing segments, and apply route filters and ACLs to limit which routes and neighbors are trusted. Filter inbound UDP 520 at network edges. The nmap snippet above queries RIP on devices you are authorized to test.