New ‘Loop DoS' Attack May Impact up to 300,000 Online Systems

Researchers at CIPSPA Helmholtz-Center for Information Security have discovered a new denial-of-service attack known as ‘Loop DoS’, which targets application layer protocols and exploits a vulnerability in the UDP. This attack can cause an indefinite communication loop between network services, resulting in a significant increase in traffic. The vulnerability identified as CVE-2024-2169, allows attackers to use IP spoofing and inadequate packet verification in the UDP protocol to initiate self-perpetuating mechanism that generates excessive traffic. This lead to a DoS condition on the target system or network.

Analyst Comments:
The attack can be triggered from a single host and has the potential to affect an estimated 300,000 vulnerable hosts and their networks. The consequences of exploiting this vulnerability includes overloading services, network backbone DoS attacks, and amplification attacks. The impact of Loop DoS is substantial as it targets both outdated and modern protocols crucial for internet functions like time synchronization, domain name resolution, and file transfer. The attack is relatively easy to execute, although there is currently no evidence of active exploitation.

Suggested Corrections:
Preventive measures:

The below preventive measures shall help to reduce the attack landscape.

  • Update or shut down vulnerable services. Coordinate with affected parties to discuss if the affected hosts have to be reachable on the vulnerable services. If not, take the services offline. If yes, think of ways to introduce appropriate access control (e.g., firewalling).
  • Restrict service access to clients with ephemeral source ports. By design, loops are between two servers, where none of the servers uses client (ephemeral) source ports. The communication does not use UDP source ports typically chosen by clients (ports >= 1024), but only the ports of the respective services (port range 0-1023). Vulnerable protocols can be protected by filtering non-ephemeral source ports towards the servers.
  • Identify the software or product responsible for the behavior. Report the vulnerability to the affected vendor with a reference to this document to give them a chance to fix the issue; alternatively,

Reactive measures:

  • In case of an attack, it is most effective to disrupt the loops. Any type of packet loss in the attack traffic terminates the loop and forces the attackers to reinitialize the loops. Packet loss thus effectively downgrades the application-layer loop attacks to amplification attacks. To this end, there are several options:
  • QoS: Give less preference to abused protocols to drop attack packets in case of network congestion. In particular, the UDP ports of the legacy protocols can be assigned low QoS priority. For the non-legacy protocols, this has to be decided on a case-by-case basis (69/TFTP, 53/DNS, 123/NTP).
  • Rate limiting: Networks can deploy rate limiting in case of loop attacks, which also terminates infinite loops.
  • Attack detection: Networks can detect loop patterns based on the fact that two servers communicate on their server ports, unless required by the protocol, which otherwise is a rather rare event. For example, a loop within NTP would cause flows with source and destination port being UDP/123. Any combination of privileged (<1024) UDP ports for source and destination can be deemed suspicious in case of an attack event and be dropped or rate-limited as a last resort.

Note: Given that the vectors to trigger loops are not fully explored yet, any type of payload matching to drop attack traffic will likely be incomplete.