How the Achilles heel of the UDP protocol can lead to a digital catastrophe.
Researchers at the CISPA identified a new type of denial-of-service (DoS) attack, dubbed "Loop DoS". The attack affects application-level protocols, causing endless communication cycles between network services and creating huge volumes of traffic.
The attack is carried out via the UDP protocol and affects approximately 300,000 hosts and their networks worldwide. The vulnerability, designated CVE-2024-2169, is related to insufficient verification of data packets in the implementation of the UDP protocol, which makes it vulnerable to IP address spoofing.
Attackers can initiate a self-sustaining mechanism that generates excessive traffic, resulting in denial of service on the target system or even on the entire network. A "Loop DoS" attack can be launched even from a single host, by sending just one message.
As noted by the CERT Coordination Center at Carnegie Mellon University, the possible consequences of an attack include overloading vulnerable services, attacks on network infrastructure, and enhanced DoS or DDoS attacks through network cycles.
CISPA researchers Epeng Pan and Christian Rossou point out significant potential damage from the attack, affecting both legacy protocols (QOTD, Chargen, Echo) and modern ones (DNS, NTP, TFTP), which are crucial for basic Internet functions such as time synchronization, domain name resolution, and file transfer without authentication.
"If two application servers have a vulnerable implementation of the specified protocol, an attacker can initiate data exchange with the first server by spoofing the network address of the second server (victim)," the CERT researchers explained. "In many cases, the first server will respond to the victim with an error message, which will also cause similar behavior on the other server."
This process can continue until all available server resources are completely exhausted, making them immune to legitimate requests.
According to the researchers, this attack is easily exploited, although there is no evidence of its active use yet. Well-known brands such as Broadcom, Cisco, Honeywell, Microsoft, and MikroTik are among the vulnerable network equipment manufacturers.
To prevent the risk of DoS attacks using the "Loop DoS" method, CERT recommends installing the latest patches from manufacturers, disabling unnecessary UDP services, and applying firewall rules and access control lists for UDP applications.
In addition, we recommend using anti-spoofing solutions such as BCP38 and Unicast Reverse Path Forwarding (uRPF), as well as Quality-of-Service (QoS) measures to limit network traffic and protect against network cycle abuse. These measures will help minimize the risk and provide protection against possible abuse.
Researchers at the CISPA identified a new type of denial-of-service (DoS) attack, dubbed "Loop DoS". The attack affects application-level protocols, causing endless communication cycles between network services and creating huge volumes of traffic.
The attack is carried out via the UDP protocol and affects approximately 300,000 hosts and their networks worldwide. The vulnerability, designated CVE-2024-2169, is related to insufficient verification of data packets in the implementation of the UDP protocol, which makes it vulnerable to IP address spoofing.
Attackers can initiate a self-sustaining mechanism that generates excessive traffic, resulting in denial of service on the target system or even on the entire network. A "Loop DoS" attack can be launched even from a single host, by sending just one message.
As noted by the CERT Coordination Center at Carnegie Mellon University, the possible consequences of an attack include overloading vulnerable services, attacks on network infrastructure, and enhanced DoS or DDoS attacks through network cycles.
CISPA researchers Epeng Pan and Christian Rossou point out significant potential damage from the attack, affecting both legacy protocols (QOTD, Chargen, Echo) and modern ones (DNS, NTP, TFTP), which are crucial for basic Internet functions such as time synchronization, domain name resolution, and file transfer without authentication.
"If two application servers have a vulnerable implementation of the specified protocol, an attacker can initiate data exchange with the first server by spoofing the network address of the second server (victim)," the CERT researchers explained. "In many cases, the first server will respond to the victim with an error message, which will also cause similar behavior on the other server."
This process can continue until all available server resources are completely exhausted, making them immune to legitimate requests.
According to the researchers, this attack is easily exploited, although there is no evidence of its active use yet. Well-known brands such as Broadcom, Cisco, Honeywell, Microsoft, and MikroTik are among the vulnerable network equipment manufacturers.
To prevent the risk of DoS attacks using the "Loop DoS" method, CERT recommends installing the latest patches from manufacturers, disabling unnecessary UDP services, and applying firewall rules and access control lists for UDP applications.
In addition, we recommend using anti-spoofing solutions such as BCP38 and Unicast Reverse Path Forwarding (uRPF), as well as Quality-of-Service (QoS) measures to limit network traffic and protect against network cycle abuse. These measures will help minimize the risk and provide protection against possible abuse.
