A new Denial of Service (DoS) attack vector has been discovered targeting User Datagram Protocol (UDP)-based application layer protocols, putting hundreds of thousands of hosts at risk.
Called Looping DoS attacksthe approach pairs “the servers of these protocols in such a way that they communicate with each other indefinitely,” researchers at the CISPA Helmholtz-Center for Information Security said.
UDP, by default, is a connectionless protocol that does not validate source IP addresses, making it susceptible to IP spoofing.
Therefore, when attackers spoof several UDP packets to include the victim’s IP address, the target server responds to the victim (as opposed to the threat actor), creating a reflected denial of service (DoS) attack.
The latest study found that certain implementations of the UDP protocol, such as DNS, NTP, TFTP, Active Users, Daytime, Echo, Chargen, QOTD, and Time, can be weaponized to create a self-reinforcing cycle of attacks.
“It couples two network services such that they continue to respond to each other’s messages indefinitely,” the researchers said. “In doing so, they create large volumes of traffic that result in a denial of service for the systems or networks involved. Once a trigger is inserted and the cycle is set in motion, not even the attackers are able to stop the attack. “
Simply put, given two application servers running a vulnerable version of the protocol, a threat actor can initiate communication with the first server by spoofing the address of the second server, causing the first server to respond to the victim (i.e., the second server) with an error message.
The victim, in turn, will also exhibit similar behavior, returning another error message to the first server, effectively exhausting the other’s resources and preventing one of the services from responding.
“If an input error creates an output error and a second system behaves the same way, these two systems will continue to send error messages back and forth indefinitely,” explained Yepeng Pan and Christian Rossow.
CISPA said that approximately 300,000 hosts and their networks could be abused to carry out Loop DoS attacks.
While there is currently no evidence that the attack was weaponized in the wild, researchers have warned that exploitation is trivial and that multiple products from Broadcom, Cisco, Honeywell, Microsoft, MikroTik and Zyxel are affected.
“Attackers need a single host capable of spoofing to trigger the loops,” the researchers noted. “Therefore, it is important to keep initiatives active to filter counterfeit traffic, such as BCP38.”