Application-Layer Loop DoS Attack Affects 300,000 Online Systems

Researchers identified a new DoS attack targeting application-layer protocols using UDP.

The “Application-layer Loop DoS Attack” exploits vulnerabilities in both legacy (QOTD, Chargen, Echo) and contemporary (DNS, NTP, TFT.) protocols, affecting an estimated 300,000 internet hosts. 

Unlike previous loop attacks targeting the routing layer, it operates at the application layer, enabling infinite loops between two tricked servers. 

The attacker initiates the loop by spoofing the IP address of one server in communication with another, causing them to endlessly exchange messages and consume resources, leading to denial-of-service for the targeted systems. Once triggered, even the attacker cannot terminate the loop. 

CISPA has identified a new class of application-layer DoS attacks exploiting vulnerabilities in popular protocols, whereas Yepeng Pan and Dr.

Christian Rossow confirmed the vulnerabilities in widely used protocols like TFTP (file transfer), DNS (domain name resolution), and NTP (time synchronization). 

The attack utilizes IP spoofing to trick two vulnerable UDP-based services into an infinite loop of sending messages to each other, which consumes resources and cripples affected systems. 

Six legacy protocols, including Daytime, Time, Active Users, Echo, Chargen, and QOTD, are also susceptible, potentially impacting a significant portion of internet-connected devices (estimated at 300,000).

A novel application-layer DoS attack that exploits vulnerabilities in UDP-based protocols leverages IP spoofing to trick two servers into initiating an infinite loop of communication. 

Example scenario of IP address spoofing

A single spoofed message can trigger the loop; for example, an attacker could spoof an error message between two TFTP servers, causing them to send endless error messages back and forth. 

The attack bypasses traditional mitigation techniques like packet lifetime checks because it operates at the application layer rather than the network layer, which makes the attack particularly dangerous as it can consume resources on the targeted servers and overwhelm network links. 

They discovered a crucial flaw that attackers could exploit and responsibly disclosed the flaw to affected vendors and a trusted operator community in December 2023. 

To prevent potential exploitation, CISPA collaborated with the Shadowserver Foundation to develop a comprehensive attack-specific advisory. 

The advisory would detail the technical aspects of the vulnerability and potential mitigation strategy, and they also initiated a coordinated notification campaign to ensure relevant parties were informed and could take the necessary actions to secure their systems. 

Also Read: North Korea’s Kimsuky group Equiped to Exploit Windows Help files

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here