Researchers have found that a new type of self-perpetuating denial-of-service (DoS) attack that targets application-level messages has the potential to compromise 300,000 Internet hosts and may be difficult to stop once it starts.
Researchers Yepeng Pan and professor Christian Rossow from the CISPA Helmholtz-Center for Information Security discovered the attack, nicknamed the “DoS loop”. It creates a sort of infinite loop of responses by pairing two network services “in such a way that they continue to respond to each other’s messages indefinitely,” according to one published on the CISPA website describing the attack.
This dynamic creates large volumes of traffic, resulting in DoS for any system or network involved. Furthermore, once the cycle begins, attackers are also unable to stop the attack, which can be triggered by just one host capable of spoofing, the researchers said.
According to a post from the CERT Coordination Center at Carnegie Mellon University, the attack exploits a new traffic circuit vulnerability present in some applications based on the UDP (User Datagram Protocol) protocol. An unauthenticated attacker They can use maliciously crafted packages against a vulnerable UDP-based implementation of various application protocols such as DNS, NTP, and TFTP, leading to DoS and/or resource abuse.
In addition to these programs, researchers also discovered the flaw in legacy protocols such as Daytime, Time, Active Users, Echo, Chargen, and QOTD, which “are widely used to provide basic functionality over the Internet,” according to CISPA. send.
Loop DoS is a type of “nasty” cyber attack.
The researchers compare the attack to amplification attacks in terms of the volumes of traffic they can cause, with two main differences. The first is that attackers do not have to continuously send attack traffic due to the loop behavior, unless defenses break the loops to break the repetitive nature of the attack. The other is that without adequate defense, the DoS attack will likely continue for a while.
Indeed, DoS attacks they almost always involve resource consumption in the Web architecture, but until now it has been extremely complicated to use this type of attack to take a Web property completely offline because “you have to have systems smart enough to assemble an army of hosts that will appeal to the architecture web victim all at once,” explains Jason Kent, resident hacker at Cequence Security.
A continuous cycle Of the The attack changes the game significantly because the call can come from within the architecture itself and then grow exponentially, he explained.
“I can provide Server A to an organization’s Server B address and act as if I were Server B,” Kent says. “Server A will send an error to server B, and server B will in turn send an error to server A, indefinitely or until one of them dies.”
This precludes the need for an attacker to plan or strategize to obtain millions of hosts and can potentially “cause cascading system failures creeping into environments, triggered externally,” he says, deeming the DoS attack to be looped.” ugly”.
Four DoS attack scenarios
The researchers provided four types of attack scenarios to demonstrate how a looping DoS attack could work. In the simplest scenario, an attacker can overload the same vulnerable server, creating numerous loops with other “looping” servers to focus on a single target server. This will result in exhaustion of host bandwidth or computational resources, they said. A defender can stop this attack patching the loop server to escape loop patterns.
In a second scenario, attackers can target the backbones of networks that contain many loop hosts, pairing these hosts together to create thousands or millions of loops within the target network. To protect against such attacks from external hosts, networks can distribute spoofed IP traffic, researchers said.
A third attack is where attackers pair servers in such a way as to congest individual Internet links. “In the simplest case, this could be the uplink of a target network,” the researchers wrote, adding that this can be conducted over any Internet link traversed by pairs of loops.
“To this end, attackers pair inner loop hosts with outer ones, which puts stress on the Internet uplink of the target network due to loop traffic,” the researchers explained.
A fourth and rare attack scenario is also the most “devastating type”, one in which loop servers would not send a single response, but multiple ones, allowing the creation of “self-amplifying loops that not only continue forever, but they also intensify in their loop frequency,” the researchers wrote. This attack will continue uninterrupted even if the defenses suffer packet loss, unless they stop all network traffic, they added.
Mitigation and defense against looping DoS attacks
In addition to the specific mitigations already outlined for different looping DoS attack scenarios, there are other ways to mitigate or stop such an attack once it has started, which is good news for the myriad of vulnerable host serverssince solving them “all at once does not appear to be practical,” the researchers acknowledged.
Blocking UDP and switching to TCP-based communication with authentication and monitoring can mitigate vulnerability to a looping DoS attack, Kent says. However, if that’s not an option, system administrators “may want to limit host-to-host communication in internal firewalls and network equipment,” she adds.
Other mitigations suggested by researchers include: updating or shutting down services vulnerable to a looping DoS attack; limit access to the service to clients with temporary or client source ports; and Identify vulnerable software or product in the network and notify the product vendor of the potential exploitation.