Researchers from the CISPA Helmholtz Center for Information Security in Germany have disclosed the details of a new denial-of-service (DoS) attack vector that impacts several widely used UDP-based application protocols and hundreds of thousands of internet-facing systems.
The experts have demonstrated a loop DoS attack where an attacker uses IP spoofing to get two servers to communicate with each other indefinitely over a protocol they both use.
“The newly discovered DoS loop attack is self-perpetuating and targets application-layer messages. It pairs two network services in such a way that they keep responding to one another’s messages indefinitely. In doing so, they create large volumes of traffic that result in a denial of service for involved systems or networks,” the researchers explained.
“Once a trigger is injected and the loop set in motion, even the attackers are unable to stop the attack. Previously known loop attacks occurred on the routing layer of a single network and were limited to a finite number of loop iterations,” they added.
In addition to allowing an attacker to cause a targeted service to become unstable or unusable, or cause a network outage by targeting the network’s backbone, the technique can be used for DoS or DDoS attack amplification.
The list of protocols confirmed to be impacted includes NTP, DNS and TFTP, as well as legacy protocols such as Echo, Chargen and QOTD. However, the experts believe several others are likely impacted as well.
The researchers estimate that there are roughly 300,000 impacted internet hosts, including nearly 90,000 for their use of NTP, 63,000 for DNS, 56,000 for Echo, and roughly 20,000 each for TFTP, Chargen and QOTD. In the case of NTP, vulnerable systems are likely ones that use a version of ntpd released before 2010, which are known to be impacted by a DoS vulnerability tracked as CVE-2009-3563.
There is currently no evidence that this attack method has been used in the wild for malicious purposes, but the researchers warned that exploitation is easy and urged impacted entities to take action.
The new CVE identifiers CVE-2024-1309 and CVE-2024-2169 have been assigned to the vulnerabilities involved in the new loop DoS attack.
According to an advisory from the CERT Coordination Center at Carnegie Mellon University, CVE-2024-2169 has been confirmed to impact products from Broadcom, Honeywell, Microsoft, and MikroTik. Potentially impacted vendors were notified in December 2023.
Broadcom said only some older routers are impacted and it has released a patch for them. Microsoft said an attack against its products does not result in a crash of the host, but the company will consider fixing the issue in Windows in the future. MikroTik will release a patch soon.
In addition, Cisco confirmed impact from CVE-2009-3563, which it addressed back in 2009. Zyxel confirmed that some end-of-life products are impacted, but they will not receive patches.
In an advisory published by the researchers, they recommend several preventive and reactive measures.
“Fixing all these servers at once seems not to be practical. Worse, while we know some affected products and software, we cannot yet attribute the vast number (~80%) of systems we found vulnerable to abuse,” they said.
As for reactive measures, they advised defenders to disrupt the DoS loop in case of an attack.
“Any type of packet loss in the attack traffic terminates the loop and forces the attackers to reinitialize the loops. Packet loss thus effectively downgrades the application-layer loop attacks to amplification attacks,” they explained.
Related: 180k Internet-Exposed SonicWall Firewalls Vulnerable to DoS Attacks, Possibly RCE
Related: SLP Vulnerability Allows DoS Attacks With Amplification Factor of 2,200
Related: Millions of Budget Smartphones With UNISOC Chips Vulnerable to Remote DoS Attacks
