A recently discovered denial-of-service (DoS) attack vector named Loop DoS has surfaced, targeting application-layer protocols reliant on the User Datagram Protocol (UDP). This vulnerability poses a significant risk to hundreds of thousands of hosts.
Researchers from the CISPA Helmholtz-Center for Information Security have identified Loop DoS attacks, wherein servers of these protocols are manipulated to engage in perpetual communication. This continuous interaction generates an overwhelming volume of traffic, resulting in a denial-of-service for affected systems or networks.
UDP, being a connectionless protocol lacking source IP address validation, is vulnerable to IP spoofing. Attackers exploit this weakness by crafting UDP packets with forged victim IP addresses. Consequently, the destination server unknowingly responds to the victim, inadvertently initiating a reflected denial-of-service attack.
The study reveals that specific implementations of UDP protocols like DNS, NTP, TFTP, Active Users, Daytime, Echo, Chargen, QOTD, and Time can be weaponized to perpetuate this attack loop.
The attack mechanism involves pairing two vulnerable network services, causing them to endlessly respond to each other’s messages. Once initiated, this loop is self-sustaining, overwhelming the involved systems or networks with excessive traffic.
In a simplified explanation, a threat actor can exploit vulnerable servers by spoofing the address of one server to initiate communication with another. This leads to reciprocal error message exchanges between the two servers, ultimately rendering both services unresponsive.
Researchers Yepeng Pan and Christian Rossow clarify that when erroneous input triggers error responses that perpetuate the loop, the systems involved continue exchanging error messages indefinitely.
CISPA estimates that approximately 300,000 hosts and their networks are susceptible to Loop DoS attacks. Although there’s no evidence of active exploitation in the wild, researchers caution that the attack is relatively straightforward to execute.
Several products from companies like Broadcom, Cisco, Honeywell, Microsoft, MikroTik, and Zyxel are affected by this vulnerability. Attackers only require a single host capable of IP spoofing to initiate these loops, highlighting the importance of implementing measures like BCP38 to filter spoofed traffic.
