Source: sakkmesterke via Alamy Stock Photo
A newly discovered type of self-perpetuating denial-of-service (DoS) attack targeting application-layer messages has the potential to compromise 300,000 Internet hosts and can be difficult to stop once it's set in motion, researchers have found.
Researchers Yepeng Pan and professor Christian Rossow at the CISPA Helmholtz-Center for Information Security discovered the attack, dubbed "loop DoS." It creates a type of infinite loop of responses by pairing two network services "in such a way that they keep responding to one another’s messages indefinitely," according to a post on the CISPA website describing the attack.
This dynamic creates large volumes of traffic, resulting in DoS for any system or network involved. Moreover, once the loop is set in motion, even the attackers are unable to stop the attack, which can be triggered from just a single spoofing-capable host, the researchers said.
The attack exploits a novel traffic-loop vulnerability present in certain user datagram protocol (UDP)-based applications, according to a post by the Carnegie Mellon University's CERT Coordination Center. An unauthenticated attacker can use maliciously crafted packets against a UDP-based vulnerable implementation of various application protocols such as DNS, NTP, and TFTP, leading to DoS and/or abuse of resources.
In addition to those programs, the researchers also found the flaw in legacy protocols like Daytime, Time, Active Users, Echo, Chargen, and QOTD — all of which "are widely used to provide basic functionalities on the Internet," according to the CISPA post.
Loop DoS Is a "Nasty" Type of Cyberattack
The researchers put the attack on par with amplification attacks in the volumes of traffic they can cause, with two major differences. One is that attackers do not have to continuously send attack traffic due to the loop behavior, unless defenses terminate loops to shut down the self-repetitive nature of the attack. The other is that without a proper defense, the DoS attack will likely continue for a while.
Indeed, DoS attacks are almost always about resource consumption in Web architecture, but until now it's been extremely tricky to use this type of attack to take a Web property completely offline because "you have to have systems smart enough to gather an army of hosts that will call upon the victim web architecture all at once," explains Jason Kent, hacker in residence at Cequence Security.
A loop DoS attack changes the game considerably because the call can be coming from inside the architecture itself and then grow exponentially, he explained.
"I can give Server A at an organization Server B's address and act like I am Server B," Kent says. "Server A will send Server B an error, and Server B in turn will send Server A an error, to infinity or until one of them dies."
This precludes the need for an attacker having to plan or strategize how to get millions of hosts, and can potentially "cause cascading system failures that creep across environments, triggered from the outside," he says, deeming the loop DoS attack "nasty."
Four DoS Attack Scenarios
The researchers provided four type of attack scenarios to demonstrate how a loop DoS attack might work. In the simplest scenario, an attacker can overload a vulnerable server itself, creating many loops with other "loop" servers to focus on a single target server. This will result in either exhausting its host bandwidth or computational resources, they said. A defender can stop this attack by patching the loop server to escape loop patterns.
In a second scenario, attackers can target backbones of networks that contain many loop hosts, pairing these hosts with each other to create thousands to millions of loops within the target network. To protect against such attacks from external hosts, networks can deploy IP-spoofed traffic, the researchers said.
A third attack is one in which attackers pair loop servers in such a way to congest individual Internet links. "In the simplest case, this could be a target network’s uplink," the researchers wrote, adding that this can be conducted on any Internet link that loop pairs cross.
"To this end, attackers pair internal loop hosts with external ones, which puts stress on the target network’s Internet uplink due to the loop traffic," the researchers explained.
A fourth and rare attack scenario is also the most "devastating type," one in which loop servers would not send back a single response, but multiple, allowing for the creation of "self-amplifying loops that not only continue forever, but also intensify in their loop frequency," the researchers wrote. This attack will go on continuously even if defenses incur packet loss, unless they drop all network traffic, they added.
Mitigation and Defense for Loop DoS Attacks
In addition to the specific mitigations already outlined for the different loop DoS attack scenarios, there are other ways to mitigate or stop such an attack once it's in motion — which is good news for the myriad vulnerable host servers, since fixing them "all at once seems not to be practical," the researchers acknowledged.
Blocking UDP and moving to TCP-based communication with authentication and monitoring can mitigate a vulnerability to a loop DoS attack, Kent says. However, if this is not an option, system administrators "may want to limit host-to-host communication in internal firewalls and networking gear," he adds.
Other mitigations suggested by the researchers include: updating or shutting down services vulnerable to a loop DoS attack; restricting service access to clients with ephemeral, or client, source ports; and identifying the vulnerable software or product in the network and informing the product's vendor of the potential for exploit.