Researchers from the CISPA Helmholtz Center for Information Security in Germany have uncovered a novel denial-of-service (DoS) attack vector affecting numerous UDP-based application protocols and a substantial number of internet-facing systems. This discovery reveals a self-perpetuating loop DoS attack that exploits IP spoofing to trigger two servers into an endless exchange of messages, ultimately overwhelming targeted systems or networks with traffic. The attack’s sophistication lies in its ability to manipulate application-layer messages between network services, creating an indefinite response loop that renders the involved systems or networks inaccessible.
Moreover, this newly identified attack method poses serious risks beyond mere service disruption, as it can destabilize targeted services, cause network outages, and potentially amplify DoS or DDoS attacks. The affected protocols include widely used ones such as NTP, DNS, and TFTP, along with legacy protocols like Echo, Chargen, and QOTD, with the potential for additional protocols to be impacted. The researchers estimate that approximately 300,000 internet hosts are susceptible to this attack, with vulnerable systems including those using outdated versions of ntpd vulnerable to CVE-2009-3563.
While there is currently no evidence of malicious exploitation, the ease of exploiting this vulnerability underscores the urgent need for mitigation measures. The researchers have assigned new CVE identifiers to the vulnerabilities involved, and impacted vendors, including Broadcom, Honeywell, Microsoft, and MikroTik, have been notified. However, patching all affected servers simultaneously presents logistical challenges, leaving many vulnerable systems susceptible to abuse. As a reactive measure, defenders are advised to disrupt the DoS loop during an attack by inducing packet loss, effectively downgrading the attack to amplification attacks and mitigating its impact.
