We have discovered a new denial of service (DoS) attack vector that targets User Datagram Protocol (UDP)-based application layer protocols, potentially putting hundreds of thousands of hosts at risk.
is called Loop DoS attackResearchers at the CISPA Helmholtz Center for Information Security said the method pairs “servers of these protocols in such a way that they communicate with each other indefinitely.”
UDP is a connectionless protocol by design and does not verify the source IP address, making it susceptible to IP spoofing.
Therefore, when an attacker forges multiple UDP packets to include the victim’s IP address, the target server responds to the victim (rather than the threat actor), creating a Reflected Denial of Service (DoS) attack.
New research finds that certain implementations of UDP protocols, such as DNS, NTP, TFTP, Active Users, Daytime, Echo, Chargen, QOTD, and Time, can be weaponized to create self-sustaining attack loops.
“It pairs two network services so that they can respond to each other’s messages indefinitely,” the researchers said. “In doing so, they generate large amounts of traffic, causing a denial of service to the system or network in question. Once the trigger is injected and Starting a loop, not even the attacker can stop the attack.”
In short, assuming two application servers run a vulnerable version of the protocol, a threat actor could initiate communication with the first server by spoofing the address of the second server, thereby causing the second server to One server responds to the victim (the second server) with an error message.
In turn, the victim would display similar behavior, sending another error message back to the first server, effectively exhausting each other’s resources and rendering either service unresponsive.
Yepeng Pan and Christian Rossow explain: “If an input error leads to an output error, and a second system behaves identically, the two systems will send error messages back and forth indefinitely.”
CISPA stated that an estimated 300,000 hosts and their networks could be abused to conduct loop DoS attacks.
While there is currently no evidence that the attack has been weaponized in the wild, researchers warn that exploiting the attack is trivial and would affect a variety of products from Broadcom, Cisco, Honeywell, Microsoft, MikroTik, and Zyxel.
“An attacker would need a spoof-capable host to trigger the loop,” the researchers noted. “Therefore, it is important to continue taking steps to filter spoof traffic (e.g., BCP38).”
