Researchers have discovered a new DoS attack that, once set in motion, is unable to be stopped, even by the attackers.
Dubbed a 'Loop DoS', it targets application-layer protocols employing the User Datagram Protocol (UDP) for end-to-end communication. By doing this, it makes the messages of two network services respond to one another indefinitely, causing large volumes of traffic that result in a denial of service for the affected systems.
Center for IT-Security, Privacy, and Accountability (CISPA) researchers, Yepeng Pan and Professor Dr. Christian Rossow, devised this form of attack and believe that around 300,000 Internet hosts and their networks are likely to be affected.
Loop DoS attacks work by relying on IP spoofing, even from a single host.
“Attackers could cause a loop involving two faulty TFTP servers by injecting one single, IP-spoofed error message," said Rossow. "The vulnerable servers would then continue to send each other TFTP error messages, putting stress on both servers and on any network link between them.”
Pan went on to explain that the application-level loops discovered by he and Rossow differ from known network-layer loops, adding: "Existing packet lifetime checks employed at the network level are unable to interrupt application-layer loops.”
The researchers believe this kind of attack hasn't been carried out in the field.
"However, it would be easy for attackers to exploit this vulnerability if no action were taken to mitigate the risk”, emphasised Rossow.
In December 2023, Rossow and Pan disclosed their discovery and alerted affected vendors. and a trusted operator community. The two CISPA researchers coordinated a plan for the publication of an attack-specific advisory and started a notification campaign together with The Shadowserver Foundation.
The following list of software contains confirmed cases known to the researchers:
TFTP: atftpd not affected (uses random source port for responses) tftpd not affected (uses random source port for responses)
NTP: ntpd before version 4.2.4p8 and version 4.2.5 (CVE-2009-3563)
DNS: dproxy-nexgen
Legacy protocols: At least the QOTD, Chargen, Echo, Time, Daytime and Active Users protocols are affected. These protocols were historically implemented as part of inetd in Linux and can be disabled in inetd.conf.
The researchers suggest that the following vendors may be affected:
Arris
Broadcom (2023-12-26)
Brother (2024-02-06)
Cisco (e.g., out-of-life 2800/2970 routers; maintained products unaffected)
D-Link
Honeywell (2024-01-03, CVE-2024-1309)
Hughes Network Systems
Microsoft (2024-02-19, in WDS)
MikroTik (2024-01-09)
PLANET Technology Corporation
TP-Link (e.g., out-of-life products TD-W8901G, TD-W8101G, R600VPN, WR740N, TD-W8960N)
Zyxel (e.g., end-of-life ZyWALL; maintained products unaffected)
