The CERT Coordination Center (Computer Emergency Response Team) has issued a warning about a series of vulnerabilities in implementations of various application protocols that use the UDP protocol as a transport. Vulnerabilities can be used to organize denial of service due to the possibility of looping packet exchange between two hosts. For example, attackers can exhaust the available network bandwidth, block network services (for example, by creating a high load and exceeding the request intensity limit), and implement traffic boosters for DDoS attacks.
DNS, NTP, TFTP, Echo (RFC862), Chargen (RFC864), and QOTD (RFC865) are among the protocols that some implementations are vulnerable to. The vulnerability (CVE-2024-2169) has been confirmed in selected products from Cisco, Microsoft, Broadcom, Brother, Honeywell (CVE-2024-1309) and MikroTik. As a workaround to block vulnerabilities, it is recommended to enable spoofing blocking (uRPF) on the firewall, restrict access to unnecessary UDP services, and configure traffic intensity limits (rate-limit and QoS).
Vulnerabilities are caused by the lack of protection of the UDP protocol against address spoofing . If there is no protection against spoofing on transit routers, an attacker can specify the IP address of an arbitrary server in a UDP packet and send this packet to another server, which will return a response to the specified fake address. The attack method boils down to creating a situation with looping packet exchange between servers that use vulnerable protocol implementations. For example, in response to an incoming packet, the target server can send a response with an error code, and the server whose address was substituted by the attacker will return its response, which, in turn, will lead to the return of a packet with an error code. Thus, the servers will endlessly start playing ping-pong with each other in packets.
It is noteworthy that this method of attack is not new and in the ntpd time synchronization server, one of the attack options was eliminated back in 2009 (CVE-2009-3563) in versions 4.2. 4p8 and 4.2.5. The attack was reduced to sending an NTP packet with a fake address and the MODE_PRIVATE flag set, during processing of which the target server returned answer that you can't use private mode, leaving the MODE_PRIVATE flag set in the response. Accordingly, the other server also could not process this flag and returned its response, which led to a loop in packet exchange between the two NTP servers. For the DNS protocol, a warning about the possibility of such an attack was published back in 1996.
Global address scanning on the Internet showed that at least 23 thousand vulnerable TFTP servers, 63 thousand DNS servers, 89 thousand NTP servers, 56 thousand Echo/RFC862 services, 22 thousand Chargen/RFC864 services and 21 thousand QOTD/RFC865 services are currently present on the network. It is assumed that in the case of NTP servers, the presence of an uncorrected vulnerability is due to the use of very old versions of ntpd released before 2010. Echo, Chargen, and QOTD services are inherently vulnerable due to their architecture. The situation with TFTP and DNS servers requires a review with their administrators. The atftpd and tftpd servers are not affected by the problem, as they use a random source network port number when sending a response. One of the vulnerable DNS servers mentioned is dproxy-nexgen. In Microsoft products, the problem appears in WDS (Windows Deployment Services), and in Cisco products, the problem is present in the 2800 and 2970 series routers.
DNS, NTP, TFTP, Echo (RFC862), Chargen (RFC864), and QOTD (RFC865) are among the protocols that some implementations are vulnerable to. The vulnerability (CVE-2024-2169) has been confirmed in selected products from Cisco, Microsoft, Broadcom, Brother, Honeywell (CVE-2024-1309) and MikroTik. As a workaround to block vulnerabilities, it is recommended to enable spoofing blocking (uRPF) on the firewall, restrict access to unnecessary UDP services, and configure traffic intensity limits (rate-limit and QoS).
Vulnerabilities are caused by the lack of protection of the UDP protocol against address spoofing . If there is no protection against spoofing on transit routers, an attacker can specify the IP address of an arbitrary server in a UDP packet and send this packet to another server, which will return a response to the specified fake address. The attack method boils down to creating a situation with looping packet exchange between servers that use vulnerable protocol implementations. For example, in response to an incoming packet, the target server can send a response with an error code, and the server whose address was substituted by the attacker will return its response, which, in turn, will lead to the return of a packet with an error code. Thus, the servers will endlessly start playing ping-pong with each other in packets.
It is noteworthy that this method of attack is not new and in the ntpd time synchronization server, one of the attack options was eliminated back in 2009 (CVE-2009-3563) in versions 4.2. 4p8 and 4.2.5. The attack was reduced to sending an NTP packet with a fake address and the MODE_PRIVATE flag set, during processing of which the target server returned answer that you can't use private mode, leaving the MODE_PRIVATE flag set in the response. Accordingly, the other server also could not process this flag and returned its response, which led to a loop in packet exchange between the two NTP servers. For the DNS protocol, a warning about the possibility of such an attack was published back in 1996.
Global address scanning on the Internet showed that at least 23 thousand vulnerable TFTP servers, 63 thousand DNS servers, 89 thousand NTP servers, 56 thousand Echo/RFC862 services, 22 thousand Chargen/RFC864 services and 21 thousand QOTD/RFC865 services are currently present on the network. It is assumed that in the case of NTP servers, the presence of an uncorrected vulnerability is due to the use of very old versions of ntpd released before 2010. Echo, Chargen, and QOTD services are inherently vulnerable due to their architecture. The situation with TFTP and DNS servers requires a review with their administrators. The atftpd and tftpd servers are not affected by the problem, as they use a random source network port number when sending a response. One of the vulnerable DNS servers mentioned is dproxy-nexgen. In Microsoft products, the problem appears in WDS (Windows Deployment Services), and in Cisco products, the problem is present in the 2800 and 2970 series routers.
