Security Experts:

Connect with us

Hi, what are you looking for?



Mitel Devices Abused for DDoS Vector With Record-Breaking Amplification Ratio

Mitel enterprise collaboration products have been abused for distributed denial-of-service (DDoS) attacks that employ a new vector with a massive potential amplification ratio.

Mitel enterprise collaboration products have been abused for distributed denial-of-service (DDoS) attacks that employ a new vector with a massive potential amplification ratio.

Researchers from Akamai, Cloudflare, Lumen, NETSCOUT, Team Cymru, TELUS, and The Shadowserver Foundation have analyzed the attacks and they have released a blog post detailing their findings. Mitel has released an advisory and security bulletins describing impact on its products.

According to the organizations that investigated these DDoS attacks, malicious actors are abusing incorrectly provisioned Mitel MiCollab and MiVoice Business Express collaboration systems. The targeted devices incorporate TP-240 VoIP-processing interface cards and they are primarily used for internet-based site-to-site voice connectivity for PBX systems.

While tens of thousands of these Mitel devices are deployed in government and private sector organizations worldwide, researchers have identified only roughly 2,600 systems that have been incorrectly provisioned and exposed to the internet.

The attack method has been named TP240PhoneHome and the underlying vulnerability has been assigned the CVE identifier CVE-2022-26143.

“The abused service on affected Mitel systems is called tp240dvr (TP-240 driver) and appears to run as a software bridge to facilitate interactions with TDM/VoIP PCI interface cards. The service listens for commands on UDP/10074 and is not meant to be exposed to the internet, as confirmed by the manufacturer of these devices. It is this exposure to the internet that ultimately allows it to be abused,” researchers explained.

“The tp240dvr service exposes an unusual command that is designed to stress test its clients in order to facilitate debugging and performance testing. This command can be abused to cause the tp240dvr service to send this stress test to attack victims. The traffic consists of a high rate of short informative status update packets that can potentially overwhelm victims and cause the DDoS scenario,” they added.

Spikes in network traffic associated with the abused service were seen on January 8 and February 7, but the first actual attack was observed on February 18.

“This particular attack vector differs from most UDP reflection/amplification attack methodologies in that the exposed system test facility can be abused to launch a sustained DDoS attack of up to 14 hours in duration by means of a single spoofed attack initiation packet, resulting in a record-setting packet amplification ratio of 4,294,967,296:1,” researchers said. “A controlled test of this DDoS attack vector yielded more than 400 Mpps of sustained DDoS attack traffic.”

The attacks leveraging this technique can be mitigated with standard DDoS protections and Mitel has released patches that should prevent abuse.

In its advisories, which have been assigned a risk rating of “critical,” Mitel described the issue as a security access control vulnerability that can be exploited for more than just sustained DoS attacks. The vendor warned that a remote, unauthenticated attacker could also exploit the vulnerability to gain access to sensitive information and possibly execute arbitrary code.

DDoS attacks continue to increase in size. Microsoft reported recently that it had seen record-breaking attacks that exceeded 3 Tbps.

Related: Cloudflare Mitigated Record-Setting 17.2 Million RPS DDoS Attack

Related: Several DDoS Attack Records Broken in 2020

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...