Researchers at the CISPA Helmholtz Center for Information Security in Germany have released details of a new denial-of-service (DoS) attack vector affecting several widely used User Datagram Protocol (UDP)-based application protocols and hundreds of thousands of internet-facing systems.
Experts demonstrated a looping DoS attack, where an attacker uses IP spoofing to make two servers communicate indefinitely over a protocol they both use.
“The newly discovered DoS loop attack is self-perpetuating and targets application layer messages. It pairs two network services so that they continue responding to each other’s messages indefinitely. In doing so, they create large volumes of traffic that result in a denial of service for the systems or networks involved”, explain the researchers.
According to them, once a trigger is injected and the loop is set in motion, even attackers are unable to stop the attack. Previously known loop attacks occurred at the routing layer of a single network and were limited to a finite number of loop iterations,” they added.
In addition to allowing an attacker to render a targeted service unstable or unusable or cause a network outage by reaching the network backbone, the technique can be used for amplification of DoS or DDoS (distributed denial of service attack) attacks.
The list of protocols confirmed to be impacted includes NTP, DNS and TFTP, as well as legacy protocols such as Echo, Chargen and QOTD. However, experts believe several others are likely to be affected as well.
Researchers estimate that there are about 300,000 affected internet hosts, including almost 90,000 using the NTP protocol, 63,000 DNS, 56,000 Echo, and about 20,000 each for TFTP, Chargen, and QOTD. In the case of NTP, the vulnerable systems are likely those using a version of ntpd released before 2010, which are known to be impacted by a DoS vulnerability tracked as CVE-2009-3563.
The academics add that a new looping DoS attack at the application layer affects products from Broadcom, Honeywell, Microsoft, Zyxel and MikroTik, which were reported in December 2023.
There is currently no evidence that this attack method has been used for malicious purposes, but researchers warn that exploitation is easy and have urged affected entities to take action.
Source: CisoAdvisor, Cispa