Data stream of binary code on servers showing DoS attack on vulnerable systems

New “Loop” DoS Attack Could Bring Down Vulnerable Systems Using Just One Server

Distributed denial of service (DDoS) attacks generally rely on compromising massive networks of devices and turning them against a target. A new attack called “Loop” is more accurately labeled as a “DoS” attack, as it can leverage just one server to generate a theoretically infinite stream of traffic to take vulnerable systems offline.

The attack requires a pair of application servers that both have a vulnerable implementation of a particular protocol. The Loop DoS attack essentially generates an endless chain of error messages that will eventually exhaust all available resources and take both servers involved offline. This does limit the range of possibility for attackers, but the researchers that developed the technique estimate there are about 300,000 internet hosts that could be exploited and that it would be easy for an attacker to pull off.

Simple DoS attack relies on unpatched and end-of-life protocols

The DoS attack, which has been published as CVE-2024-2169, exploits a vulnerability in the User Datagram Protocol (UDP) that is part of the backbone of internet communication.

However, the possibility of exploiting it will vary by vendor and product. The thing that makes the vulnerability difficult to address is that these instances are seemingly randomly scattered across product lines, impacting both outdated and modern server implementation of protocols.

In total, the researchers estimate that about 300,000 internet hosts are vulnerable to the DoS attack. There is not yet a complete list of vendors that have vulnerable products, but some of the biggest names in the industry have confirmed that certain of their inventory is impacted: Microsoft, BroadCom, Cisco, Honeywell and MicroTik among them.

IP spoofing can be executed on vulnerable systems due to an oversight in the packet verification process. As the name indicates, the attacker can initiate an infinite loop of errors that is not restricted by any systemic limits and could spread out to take down an entire network under the right conditions.

And unlike the most potent DDoS attacks, this approach does not require the use of massive botnets (generally held by cyber criminal gangs and rented out to clients). The attacker merely needs to pair two application servers that have a vulnerable implementation of the protocol. The attacker initiates communication with the first server and spoofs the address of the server it means to target. The two vulnerable systems then essentially spam error messages at each other forever, eventually consuming all available resources.

Though there is not yet any evidence of the DoS attack being attempted in the wild, the researchers caution that it would be easy for attackers to pull off when they find the right tandem of vulnerable systems. The issue will have to be patched individually by vendors, and impacted end-of-life devices may well remain vulnerable going forward.

Significant number of vulnerable systems that may no longer be patchable

The DoS attack is not only dangerous because of its simplicity, but also because it runs at the application level and the attackers have no means of halting it once they initiate it.

The researchers report that they privately disclosed the DoS attack to vendors in December 2023, so potentially impacted devices should be patched from beyond that point as a mitigation precaution. Broadcom has said that the attack only impacts certain older routers but has issued a patch for them. Microsoft and MicroTik have announced forthcoming patches, but Microsoft added that the attack cannot cause a crash of vulnerable systems via any of its products. Zyxel says that only end-of-life products are affected and will not be issuing any patches.

If a device does not have an available patch, the researchers suggest deploying firewall rules and access-control lists for UDP applications, disabling UDP services that are not needed, and implementing TCP validation as alternatives. Organizations may also consider anti-spoofing solutions or Quality-of-Service (QoS) measures to restrict network traffic. Initiatives such as BCP38 can intercede and put a stop to spoofed traffic to protect vulnerable systems.

A recent study from Cloudflare noted a surge in DDoS attacks in 2023, much of which was connected to the “HTTP/2 Rapid Reset” vulnerability. The report observed a general trend in DoS attacks becoming significantly less resource-demanding of threat actors looking to cause massive disruption, noting that attacks that required millions of compromised devices can now be pulled off with as few as several thousands of virtual machines. Generative AI is also widely expected to exacerbate this issue in the near future via automated tweaking/improvement of scripts and assistance in skirting automated defenses.

Jason Kent, Hacker In Residence with Cequence Security, notes that this incident should prompt security teams to think about vulnerable systems in terms of all available resources rather than just traditional botnet attacks: “Denial of Service attacks are almost always resource consumption attacks. Some resource is left open, which can be system memory, IP Addresses it hands out, CPU utilization, connections available, and really anything that if consumed beyond limits, the system can crash. Often when DoS is mentioned it is in the context of taking a web property offline through various means, but by consuming resources on the web architecture and causing failures. Often these are difficult to pull off because you have to have systems smart enough to gather an army of hosts that will call upon the victim web architecture all at once.”

“With this vulnerability, the call can be coming from inside the house. I can give Server A at an organization, Server B’s address, and act like I am Server B. Server A will send Server B an error, and Server B in turn will send Server A an error, to infinity or until one of them dies. No having to plan or strategize how to get millions of hosts. You can have 2 hosts kill one another. Now imagine if I got Servers A, B, C, D….. to participate in this little game. It’s possible to cause cascading system failures that creep across environments, triggered from the outside. It’s nasty. The good news is, blocking UDP-type protocols and moving to TCP-based communication with authentication and monitoring, can break this vulnerability but if you cannot move from the UDP-based systems you are on today, you may want to limit host-to-host communication in internal firewalls and networking gear,” added Kent.