New ‘Loop DoS’ Attack Unable To Be Stopped, Even By Attackers

Giulio Saggin
Giulio Saggin
Thursday 21 March 2024
New ‘Loop DoS’ Attack Unable To Be Stopped, Even By Attackers

Researchers have discovered a new DoS attack that, once set in motion, is unable to be stopped, even by the attackers.

Dubbed a 'Loop DoS', it targets application-layer protocols employing the User Datagram Protocol (UDP) for end-to-end communication. By doing this, it makes the messages of two network services respond to one another indefinitely, causing large volumes of traffic that result in a denial of service for the affected systems.

Center for IT-Security, Privacy, and Accountability (CISPA) researchers, Yepeng Pan and Professor Dr. Christian Rossow, devised this form of attack and believe that around 300,000 Internet hosts and their networks are likely to be affected.

Loop DoS attacks work by relying on IP spoofing, even from a single host.

“Attackers could cause a loop involving two faulty TFTP servers by injecting one single, IP-spoofed error message," said Rossow. "The vulnerable servers would then continue to send each other TFTP error messages, putting stress on both servers and on any network link between them.”

Pan went on to explain that the application-level loops discovered by he and Rossow differ from known network-layer loops, adding: "Existing packet lifetime checks employed at the network level are unable to interrupt application-layer loops.”

The researchers believe this kind of attack hasn't been carried out in the field.

"However, it would be easy for attackers to exploit this vulnerability if no action were taken to mitigate the risk”, emphasised Rossow.

In December 2023, Rossow and Pan disclosed their discovery and alerted affected vendors. and a trusted operator community. The two CISPA researchers coordinated a plan for the publication of an attack-specific advisory and started a notification campaign together with The Shadowserver Foundation.

The following list of software contains confirmed cases known to the researchers:

TFTP: atftpd not affected (uses random source port for responses) tftpd not affected (uses random source port for responses)

NTP: ntpd before version 4.2.4p8 and version 4.2.5 (CVE-2009-3563)

DNS: dproxy-nexgen

Legacy protocols: At least the QOTD, Chargen, Echo, Time, Daytime and Active Users protocols are affected. These protocols were historically implemented as part of inetd in Linux and can be disabled in inetd.conf.

The researchers suggest that the following vendors may be affected:


Broadcom (2023-12-26)

Brother (2024-02-06)

Cisco (e.g., out-of-life 2800/2970 routers; maintained products unaffected)


Honeywell (2024-01-03, CVE-2024-1309)

Hughes Network Systems

Microsoft (2024-02-19, in WDS)

MikroTik (2024-01-09)

PLANET Technology Corporation

TP-Link (e.g., out-of-life products TD-W8901G, TD-W8101G, R600VPN, WR740N, TD-W8960N)

Zyxel (e.g., end-of-life ZyWALL; maintained products unaffected)

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.


SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203