A newly discovered type of self-persistent denial of service (DoS) attack targeting application-layer messages could compromise 300,000 Internet hosts and could be difficult to stop once underway This was discovered by researchers.
CISPA Helmholtz Center for Information Security researcher Yepeng Pan and Professor Christian Rossow detected an attack, is called “loop DoS”. According to one report, this involves pairing two network services “in such a way that they continue to respond to each other’s messages ad infinitum,” creating a kind of infinite response loop. Post on the CISPA website Describe the attack.
This dynamic generates a large amount of traffic, resulting in a DoS to the systems and networks involved. Additionally, researchers say that once the loop is in motion, even the attacker cannot stop the attack, and even a single spoofable host could trigger an attack.
The attack exploits a new traffic loop vulnerability in certain User Datagram Protocol (UDP)-based applications, according to a post from Carnegie Mellon University’s CERT Coordination Center.unauthenticated attacker May use maliciously crafted packets Vulnerable UDP-based implementations of various application protocols such as DNS, NTP, and TFTP, leading to DoS and resource exploitation.
In addition to these programs, researchers also discovered flaws in traditional protocols such as Daytime, Time, Active Users, Echo, Chargen, and QOTD. According to CISPA, these are all “widely used to provide basic functionality on the Internet.” post.
Loop DoS is a “nasty” type of cyber attack
Researchers believe this attack is comparable to an amplification attack in terms of the amount of traffic it can cause, but there are two key differences. One is that the attacker does not need to continuously send attack traffic through looping behavior unless the defender terminates the loop and shuts down the self-repeating nature of the attack. Another is that without proper protection, DoS attacks can continue for some time.
surely, DoS attack Resource consumption in the web architecture is most often an issue, but until now it has been very difficult to take web properties completely offline using this type of attack. Because “the victim’s web architecture all at once,” explains Jason Kent, resident hacker at Cequence Security.
loop DoS The attack is game-changing because the calls can originate from within the architecture itself and then multiply exponentially, he explained.
“You can give Server A the address of Server B in your organization and pretend you’re Server B,” says Kent. “Server A sends errors to server B, and server B sends errors to server A indefinitely or until one of them stops.”
This eliminates the need for attackers to plan and strategize how to obtain millions of hosts, potentially causing cascading system failures that are externally triggered and creep throughout the environment. ” and considers loop DoS attacks to be “a nuisance.”
Four DoS attack scenarios
The researchers provided four different attack scenarios to demonstrate how a loop DoS attack works. In the simplest scenario, an attacker could overload the vulnerable server itself, creating numerous loops with other “loop” servers to focus on a single target, her server. . This results in the host’s bandwidth or computational resources being exhausted.defender can please stop this attack Patch loop servers to avoid loop patterns.
In the second scenario, an attacker targets the backbone of a network that contains a large number of loop hosts and pairs these hosts with each other to create thousands to millions of loops within the target network. . To prevent such attacks from external hosts, networks can deploy IP spoofed traffic, researchers say.
The third attack is one in which an attacker pairs loop servers in a way that congests individual Internet links. “In the simplest case, this could be the uplink of the target network,” the researchers wrote, adding that this could be done on any Internet link that the loop pair intersects.
“To this end, the attacker combines inner loop hosts with outer loop hosts. This stresses the target network’s Internet uplink with loop traffic,” the researchers explained.
The fourth rare attack scenario is also the most “catastrophic type,” where the looping server sends back multiple responses instead of a single response, resulting in “a self-amplifying loop that not only continues forever, but also intensifies.” allows for the creation of “The problem lies in the loop frequency,” the researchers wrote. He added that the attack would continue even if the defender experienced packet loss, unless he dropped all network traffic.
Loop DoS attack mitigation and prevention
In addition to the specific mitigations already outlined for various looping DoS attack scenarios, there are other ways to mitigate or stop such attacks once they have started. This is good news for countless users. vulnerable host serverBecause it “doesn’t seem practical to fix them all at once,” the researchers acknowledged.
Blocking UDP and moving to TCP-based communication with authentication and monitoring can reduce vulnerability to loop DoS attacks, Kent says. However, if this is not possible, he added, system administrators “may wish to restrict host-to-host communication on internal firewalls or network equipment.”
Other mitigations suggested by the researchers include updating or shutting down services vulnerable to loop DoS attacks. Restrict service access to clients with ephemeral source ports or client source ports. Identify vulnerable software or products in your network and notify product vendors of potential exploits.
