Some 300,000 IPs vulnerable to this Loop DoS attack

As many as 300,000 servers or devices on the public internet are thought to be vulnerable right now to the recently disclosed Loop Denial-of-Service technique that works against some UDP-based application-level services.

It's said that certain implementations of TFTP, DNS, and NTP, as well as legacy protocols, such as Echo, Chargen, and QOTD, are at risk. Exploitation may result in services going down, if not whole machines or networks. Judging from DNS, NTP, and TFTP scans, the largest number of public-facing potentially vulnerable systems are in China, Russia, and America, followed by Iran, South Korea, Italy, France, Canada, and Brazil.

The method of attack was disclosed earlier this week by researchers Christian Rossow and Yepeng (Eric) Pan at the CISPA Helmholtz Center for Information Security in Germany.

It's pretty trivial, and basically relies on sending an error message to, let's say, vulnerable server A in such a way, using IP address source spoofing, that server A responds with an error message to vulnerable server B, which sends an error message to A, which responds to B, which responds to A, over and over again in an infinite loop.

All you have to do is fire off enough messages at server A so that the ensuing storm of UDP packets between A and B consumes the machines' resources and causes them to stop responding to legit requests. For all normal users, the servers will appear to be unavailable.

"For example, imagine two services that respond with an error message when receiving an error message as input," as Rossow and Pan put it in their write-up this week. "If an error as input creates an error as output, and a second system behaves the same, these two systems will keep sending error messages back and forth indefinitely."

The method benefits miscreants in various ways: They don't need to send continuous waves of traffic to render services unavailable, and once it's begun there's no stopping it until the targeted machines or someone in between can break off the infinite loop.

• FBI v the bots: Feds urge denial-of-service defense after critical infrastructure alert
• French government sites disrupted by très grande DDoS
• Fortinet's week to forget: Critical vulns, disclosure screw-ups, and that toothbrush DDoS attack claim
• Leader of pro-Russia DDoS crew Killnet 'unmasked' by Russian state media

This sort of application-layer loop has been a known problem as far back as 1996, the CISPA duo noted.

"As far as we know, this kind of attack has not yet been carried out in the field. It would, however, be easy for attackers to exploit this vulnerability if no action were taken to mitigate the risk", Rossow added, since "the bar to do so is not so high."

The researchers said they contacted the makers of at-risk implementations and a "trusted operator community" in December to disclose their findings and hopefully get patches pushed out and deployed. Altogether they worked on plans to share details of the attack this week and begin a notification campaign in collaboration with the nonprofit Shadowserver Foundation.

Gear and software from Arris, Broadcom, Microsoft, Honeywell (CVE-2024-1309), Brother, and MikroTik is said to be among those vulnerable to Loop DoS. In addition, products that have gone out of support from Cisco, TP-Link, and Zyxel are understood to be at risk.

Some products from D-Link and PLANET Technology are also believed to be vulnerable but neither vendor has confirmed anything officially. Look out for updates to network-based services to patch this problem. There's also code here for discovering potentially at-risk services in your IT environment. ®