New Loop DoS Attack Targets Hundreds of Thousands of Systems

New Loop DoS Attack Targets Hundreds of Thousands of Systems

A novel denial-of-service (DoS) attack vector has emerged, targeting application-layer protocols based on the User Datagram Protocol (UDP). This attack, known as the Loop DoS attack, poses a significant risk to hundreds of thousands of hosts worldwide.

The approach, known as the Loop DoS attack, pairs “servers of these protocols in such a way that they communicate indefinitely,” researchers at the CISPA Helmholtz Security Centre said.

What Is the Loop DoS Attack?

The Loop DoS attack leverages the inherent characteristics of UDP, which is a connectionless protocol that does not validate source IP addresses. In this attack, the threat actor pairs two servers running vulnerable versions of certain UDP-based protocols. These servers then engage in perpetual communication with each other, creating a self-perpetuating loop.

Here’s how it works:

UDP is a connectionless protocol that does not validate source IP addresses, making it susceptible to IP spoofing.

  1. The attacker spoofs the address of one server and initiates communication with the other server.
  2. The first server responds to the victim (the second server) with an error message.
  3. The victim, in turn, responds with another error message to the first server.
  4. This back-and-forth exchange exhausts both servers’ resources, rendering them unresponsive.

Vulnerable Protocols

A recent study found that several UDP implementations, including DNS (DNS), NTP (NTP), TFTP (TTP), Active Users (AUs), Daytime, Echo (Echo), Chargen (QOTD), and Time (Time), can be used as weapons to build a self-fulfilling attack cycle.

It pairs two network services to continue to respond to each other’s messages indefinitely, said the researchers. “They generate massive amounts of traffic that results in a denial of service for the systems or networks involved. Not even the attackers can stop the attack once a single trigger is applied and the loop is triggered.”

In other words, if two application servers are running the vulnerable version of the protocol, the threat actor can communicate with the first one by spoofing the IP address of the second one, causing the first one to send an error message to the victim (the second one).

On the other hand, the victim will do the same and send another error message back to the first one, thus draining each other’s resources and causing either one of the services to fail to respond.

If an error in the input causes an error in the output, and the other system does the same, the two systems will continue to send error messages to and from each other for an indefinite time, according to Yepeng Pan and Christian Rossow.

Impact and Mitigation

Researchers estimate that approximately 300,000 hosts and their networks can be abused to carry out Loop DoS attacks. Although there is currently no evidence of widespread exploitation, the potential impact is significant. Several products from vendors such as Broadcom, Cisco, Honeywell, Microsoft, MikroTik, and Zyxel are affected.

To mitigate the risk, organizations should consider implementing measures like BCP38, which filters spoofed traffic. Additionally, staying informed about security updates and patches for affected products is crucial.

Found this article interesting? Follow us on WhatsApp and LinkedIn to read more exclusive content we post.