Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

300,000 Systems Vulnerable to New Loop DoS Attack

Academic researchers describe a new application-layer loop DoS attack affecting Broadcom, Honeywell, Microsoft and MikroTik.

HTTP/2 Continuation Flood DoS

Researchers from the CISPA Helmholtz Center for Information Security in Germany have disclosed the details of a new denial-of-service (DoS) attack vector that impacts several widely used UDP-based application protocols and hundreds of thousands of internet-facing systems.

The experts have demonstrated a loop DoS attack where an attacker uses IP spoofing to get two servers to communicate with each other indefinitely over a protocol they both use. 

“The newly discovered DoS loop attack is self-perpetuating and targets application-layer messages. It pairs two network services in such a way that they keep responding to one another’s messages indefinitely. In doing so, they create large volumes of traffic that result in a denial of service for involved systems or networks,” the researchers explained. 

“Once a trigger is injected and the loop set in motion, even the attackers are unable to stop the attack. Previously known loop attacks occurred on the routing layer of a single network and were limited to a finite number of loop iterations,” they added.

In addition to allowing an attacker to cause a targeted service to become unstable or unusable, or cause a network outage by targeting the network’s backbone, the technique can be used for DoS or DDoS attack amplification. 

The list of protocols confirmed to be impacted includes NTP, DNS and TFTP, as well as legacy protocols such as Echo, Chargen and QOTD. However, the experts believe several others are likely impacted as well. 

The researchers estimate that there are roughly 300,000 impacted internet hosts, including nearly 90,000 for their use of NTP, 63,000 for DNS, 56,000 for Echo, and roughly 20,000 each for TFTP, Chargen and QOTD. In the case of NTP, vulnerable systems are likely ones that use a version of ntpd released before 2010, which are known to be impacted by a DoS vulnerability tracked as CVE-2009-3563.

There is currently no evidence that this attack method has been used in the wild for malicious purposes, but the researchers warned that exploitation is easy and urged impacted entities to take action. 

Advertisement. Scroll to continue reading.

The new CVE identifiers CVE-2024-1309 and CVE-2024-2169 have been assigned to the vulnerabilities involved in the new loop DoS attack.

According to an advisory from the CERT Coordination Center at Carnegie Mellon University, CVE-2024-2169 has been confirmed to impact products from Broadcom, Honeywell, Microsoft, and MikroTik. Potentially impacted vendors were notified in December 2023.

Broadcom said only some older routers are impacted and it has released a patch for them. Microsoft said an attack against its products does not result in a crash of the host, but the company will consider fixing the issue in Windows in the future. MikroTik will release a patch soon. 

In addition, Cisco confirmed impact from CVE-2009-3563, which it addressed back in 2009. Zyxel confirmed that some end-of-life products are impacted, but they will not receive patches.

In an advisory published by the researchers, they recommend several preventive and reactive measures. 

“Fixing all these servers at once seems not to be practical. Worse, while we know some affected products and software, we cannot yet attribute the vast number (~80%) of systems we found vulnerable to abuse,” they said.

As for reactive measures, they advised defenders to disrupt the DoS loop in case of an attack.

“Any type of packet loss in the attack traffic terminates the loop and forces the attackers to reinitialize the loops. Packet loss thus effectively downgrades the application-layer loop attacks to amplification attacks,” they explained. 

Related: 180k Internet-Exposed SonicWall Firewalls Vulnerable to DoS Attacks, Possibly RCE

Related: SLP Vulnerability Allows DoS Attacks With Amplification Factor of 2,200

Related: Millions of Budget Smartphones With UNISOC Chips Vulnerable to Remote DoS Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.