A new attack strategy has been devised that triggers an indefinite denial state on target servers. Named “Loop DoS,” the attack hasn’t been detected in the wild yet, but it threatens over 300,000 online systems.
Loop DoS – A New DoS Attack Threatening Over 300K Systems
Researchers from the CISPA Helmholtz-Center for Information Security have developed a new attack strategy, “Loop DoS,” that causes system crashes.
As the name implies, the attack triggers a denial of service (DoS) state that goes indefinitely in a loop, going beyond the attackers’ control. Simply put, an adversary may achieve this by spoofing the IP address of a victim server, which causes the corresponding server in the communication to generate an error as the output. In response, the first server also gives an error, thus triggering an automated generation of error messages with no end.
Specifically, the attack becomes possible due to a vulnerability in the UDP application protocol implementations. Identified as CVE-2024-2169, this vulnerability affects the application layer messages, impacting how networks communicate over UDP. An attacker may inject IP-spoofed error messages between the communication, triggering an indefinite error loop. Giving the example of DNS resolvers, the researchers describe,
Imagine two DNS resolvers with such error reflection behavior. If an error as input creates an error as output for two systems, upon receiving an attack trigger, these two systems will keep sending error messages back and forth — indefinitely.
An attacker could now cause a loop among these two faulty DNS servers by injecting a single, IP-spoofed DNS error message. Once injected, the vulnerable servers continuously send DNS error messages back and forth, putting stress on both servers and any network link connecting them.
The researchers have shared the details about Loop DoS in their advisory.
All Existing UDP Protocols Found Vulnerable
As observed, all existing software implementations of UDP application protocols DNS, NTP, TFTP, Echo (RFC862), Chargen (RFC864), and QOTD (RFC865) are vulnerable to Loop DoS attacks. Consequently, over 300,000 Internet hosts and their networks are prone to attacks. That includes systems from top vendors like Microsoft, MikroTik, Broadcom, Cisco, Honeywell, and more.
While the attack is easy to exploit, it hasn’t yet been carried out in the wild. Nonetheless, the threat persists if this vulnerability remains unaddressed. Exploiting it merely requires an attacker to spoof the IP address of a vulnerable host, though it’s a mandatory requirement to trigger the loop. The researchers also explained that such an attack is only possible between two systems and may not be extended to more systems to create a ring.
Regarding possible attack prevention, the researchers propose updating or shutting down the vulnerable systems to prevent the attack and restricting ephemeral source ports to the servers on vulnerable protocols. Likewise, for countering an ongoing attack, the researchers advise rate-limiting networks that would break the indefinite loop and assign low QoS priority to abused protocols.
Let us know your thoughts in the comments.