A newly discovered self-perpetuating denial of service (DoS) attack targeting application layer messages has the potential to compromise 300,000 Internet hosts and is difficult to stop once launched, researchers have found.
Researcher Yepeng Pan and Professor Christian Rossow from CISPA Helmholtz Center for Information Security Attack discovered, called “cyclic DoS”. According to one report, it creates an infinite response loop by pairing two network services “in a manner that responds to each other’s messages indefinitely.” Posted on the CISPA website Describe the attack.
This dynamic can generate large amounts of traffic, resulting in a DoS attack on any system or network involved. Furthermore, the researchers say that once the loop is initiated, not even an attacker can stop the attack, which only requires a spoofed host to trigger.
According to a post from Carnegie Mellon University’s CERT Coordination Center, the attack exploits a new traffic loop vulnerability that exists in certain User Datagram Protocol (UDP)-based applications.Unauthenticated attacker Maliciously crafted packets can be used Vulnerable UDP-based implementation of various application protocols such as DNS, NTP, and TFTP, leading to DoS and/or resource abuse.
In addition to these programs, researchers also found flaws in legacy protocols such as Daytime, Time, Active Users, Echo, Chargen and QOTD, all of which, according to CISPA, “are widely used to provide basic functionality on the Internet “postal.
Loop DoS is a “nasty” cyber attack
The researchers believe this attack is comparable to an amplification attack in terms of the amount of traffic it can cause, but there are two main differences. One is that the attacker does not have to keep sending attack traffic due to looping behavior unless defenses terminate the loop to shut down the self-repeating nature of the attack. Another is that without proper defenses, DoS attacks can persist for some time.
indeed, denial of service attack Almost always related to resource consumption in the web architecture, but until now, taking a web property completely offline using this type of attack has been very tricky because “you have to have a system smart enough to collect a large number of hosts that will The calls to the victim’s network infrastructure occur simultaneously,” explained Cequence Security resident hacker Jason Kent.
a loop of He explained that attacks change the game dramatically because calls can come from within the architecture itself and then multiply exponentially.
“I can give Server A the address of Organization Server B and act like I’m Server B,” Kent said. “Server A will send an error to server B, which in turn will send an error to server A, until infinity or until one of them dies.”
He said this eliminates the need for attackers to plan or strategize to acquire millions of hosts and could “lead to cascading system failures across environments that are triggered from the outside,” calling looping DoS attacks “annoying.”
Four DoS attack scenarios
The researchers provided four types of attack scenarios to demonstrate how circular DoS attacks work. In the simplest case, an attacker could overload the vulnerable server itself, creating many loops with other “loop” servers to focus the attack on a single target server. They said this would result in exhausting their host bandwidth or computing resources.Defenders can stop this attack Escape round-robin patterns by patching round-robin servers.
In the second scenario, an attacker could target a network backbone that contains many looping hosts, pairing these hosts with each other to create thousands to millions of loops within the target network. To prevent such attacks from external hosts, networks can deploy IP spoofing traffic, the researchers said.
A third attack involves an attacker pairing round-robin servers in a way that blocks individual Internet links. “In the simplest case, this could be the uplink of the target network,” the researchers wrote, adding that this could be done on any internet link crossed by a ring pair.
“To do this, the attacker pairs an inner loop host with an outer loop host, which stresses the target network’s Internet uplinks due to loop traffic,” the researchers explained.
A fourth rare attack scenario, and the most “destructive type,” is one in which the looping server sends back not a single response, but multiple responses, allowing the creation of a “self-amplifying loop that not only goes on forever, but will intensify.” in their loop frequency,” the researchers wrote. This attack will persist even if defenses cause packet loss unless they drop all network traffic, they add.
Mitigation and defense against loop DoS attacks
In addition to the specific mitigations already outlined for different cyclic DoS attack scenarios, there are other ways to mitigate or prevent such attacks after they occur — which is great news for countless people Vulnerable host serverBecause “it seems impractical to address all these issues at once,” the researchers admit.
Kent said blocking UDP and moving to TCP-based communication along with authentication and monitoring can mitigate vulnerabilities in loop DoS attacks. However, if that’s not an option, system administrators “may want to restrict host-to-host communication in internal firewalls and network devices,” he added.
Other mitigation measures recommended by the researchers include: updating or shutting down services vulnerable to loop DoS attacks; restricting service access to clients with ephemeral or client source ports; identifying vulnerable software or products in the network and notifying product vendors The possibility of being exploited.