A new ‘Loop DoS’ attack targets application layer protocols via UDP vulnerability, creating indefinite communication loops and affecting 300,000 hosts.
Researchers at the CISPA Helmholtz Center for Information Security have discovered a novel way to launch denial-of-service (DoS) attacks, this time targeting application-layer protocols. This new technique, dubbed “Loop DoS,” exploits vulnerabilities in how these protocols handle messages to create a self-perpetuating loop.
Traditionally, DoS attacks focus on overwhelming a system with a massive influx of traffic, making it difficult or impossible for legitimate users to access resources. The Loop DoS attack takes a different approach. It leverages the way application-layer protocols, which rely on the User Datagram Protocol (UDP) for communication, handle messages.
Unlike TCP, UDP is a connectionless protocol, meaning it doesn’t establish a connection between sender and receiver before transmitting data. This makes UDP faster and more efficient, but also less secure.
Attackers exploit this lack of verification inherent to UDP by forging IP addresses in messages. In a Loop DoS attack, the attacker sends a crafted message to a vulnerable server spoofing the IP address of a different victim server.
The targeted server, tricked into believing the message originated from another legitimate server, responds accordingly. The attacker intercepts this response and again spoofs the victim’s IP address, creating a loop where the servers continuously send messages to each other. This rapid back-and-forth exchange overwhelms both servers, denying service to legitimate users.
The researchers at CISPA warn that the Loop DoS attack poses a significant threat as it can impact a wide range of commonly used application-layer protocols, including DNS, NTP, TFTP, and even legacy protocols like Echo and Chargen.
Their analysis indicates hundreds of thousands of internet-facing systems could be vulnerable. In fact, according to CISPA’s report, it has the potential to impact around 300,000 hosts and their associated networks.
The good news is that the researchers haven’t observed widespread exploitation of this vulnerability yet. However, it shows how cybersecurity threats are evolving and cybercriminals are getting more sophisticated at what they do.
For insights, we reached out to Jason Kent, Hacker In Residence (HIR) at Cequence Security, who stated “Denial of Service attacks are almost always resource consumption attacks. Some resource is left open, which can be system memory, IP Addresses it hands out, CPU utilization, connections available, and really anything that if consumed beyond limits, the system can crash.”
“Often when DoS is mentioned it is in the context of taking a web property offline through various means, but by consuming resources on the web architecture and causing failures. Often these are difficult to pull off because you have to have systems smart enough to gather an army of hosts that will call upon the victim web architecture all at once,” he said.
Jason further explained “With this vulnerability, the call can be coming from inside the house. I can give Server A at an organization, Server B’s address, and act like I am Server B. Server A will send Server B an error, and Server B in turn will send Server A an error, to infinity or until one of them dies. No having to plan or strategize how to get millions of hosts. You can have 2 hosts kill one another. Now imagine if I got Servers A, B, C, D….. to participate in this little game. It’s possible to cause cascading system failures that creep across environments, triggered from the outside. It’s nasty.”
“The good news is, blocking UDP-type protocols and moving to TCP-based communication with authentication and monitoring, can break this vulnerability but if you cannot move from the UDP-based systems you are on today, you may want to limit host-to-host communication in internal firewalls and networking gear,” Jason advised.
Nevertheless, system administrators and IT security professionals are advised to mitigate the threat by blocking UDP-type protocols and moving to TCP-based communication with authentication and monitoring. Additionally, staying informed about the latest threats and implementing proper security measures are crucial for safeguarding systems from emerging DoS attacks like Loop DoS.