A new Denial-of-Service (DoS) attack targets application-layer protocols that draw on the User Datagram Protocol (UDP) for end-to-end communication. ‘Application-layer Loop DoS Attacks’ pair servers of these protocols in such a way that they communicate with each other indefinitely. The vulnerability affects both legacy (e.g., QOTD, Chargen, Echo) and contemporary (e.g., DNS, NTP, and TFTP) protocols. Discovered by researchers of the CISPA Helmholtz-Center for Information Security, the attack puts an estimated 300,000 Internet hosts and their networks at risk.
The newly discovered DoS loop attack is self-perpetuating and targets application-layer messages. It pairs two network services in such a way that they keep responding to one another’s messages indefinitely. In doing so, they create large volumes of traffic that result in a denial of service for involved systems or networks. Once a trigger is injected and the loop set in motion, even the attackers are unable to stop the attack. Previously known loop attacks occurred on the routing layer of a single network and were limited to a finite number of loop iterations.
An estimated 300,000 Internet hosts can be abused
Discovered by CISPA researchers Yepeng Pan and Professor Dr. Christian Rossow, application-layer loop DoS attacks are likely to concern a total of 300,000 Internet hosts. So far, Pan and Rossow have confirmed vulnerabilities for TFTP, DNS and NTP implementations as well as for the six legacy protocols Daytime, Time, Active Users, Echo, Chargen and QOTD. These protocols are widely used to provide basic functionalities on the Internet. While NTP, for instance, allows for time synchronization between computers, DNS matches domain names to their corresponding IP addresses. TFTP enables the transmission of files without user authentication.
Attacks can be triggered from a single spoofing-capable host
Application-layer loop DoS attacks rely on IP spoofing and can be triggered from a single spoofing-capable host. “For instance, attackers could cause a loop involving two faulty TFTP servers by injecting one single, IP-spoofed error message. The vulnerable servers would then continue to send each other TFTP error messages, putting stress on both servers and on any network link between them”, Rossow explains. Pan stresses the novelty of this attack vector: “The application-level loops we discovered differ from known network-layer loops. Hence, existing packet lifetime checks employed at the network level are unable to interrupt application-layer loops.”
Easy to exploit
“As far as we know, this kind of attack has not yet been carried out in the field. It would, however, be easy for attackers to exploit this vulnerability if no action were taken to mitigate the risk”, Rossow says. In December 2023, Rossow and Pan disclosed their discovery to the affected vendors and a trusted operator community. The two CISPA researchers coordinated a plan for the publication of an attack-specific advisory and started a notification campaign together with The Shadowserver Foundation.
Access Report : https://cispa.saarland/group/rossow/Loop-DoS
MITRE TTP :
- Initial Access [TA0001]:
- Technique: Phishing [T1566]:
- Procedure: Attackers initiate a large-scale email campaign with attachments that eventually launch the StrelaStealer’s DLL payload. The attachments’ file format is frequently changed to evade detection.
- Technique: Phishing [T1566]:
- Execution [TA0002]:
- Technique: User Execution [T1204]:
- Procedure: Victims are tricked into executing a JScript file from a ZIP attachment, leading to the execution of the StrelaStealer payload.
- Technique: User Execution [T1204]:
- Persistence [TA0003]:
- Technique: Create or Modify System Process [T1543]:
- Procedure: The StrelaStealer payload creates a service on the system to maintain persistence.
- Technique: Create or Modify System Process [T1543]:
- Defense Evasion [TA0005]:
- Technique: Obfuscated Files or Information [T1027]:
- Procedure: StrelaStealer employs updated obfuscation techniques in the DLL payload to make analysis difficult and evade detection.
- Technique: Deobfuscate/Decode Files or Information [T1140]:
- Procedure: The JScript file decodes a Base64-encrypted file, resulting in the creation of a Portable Executable (PE) DLL file.
- Technique: Modify Registry [T1112]:
- Procedure: StrelaStealer modifies the Windows registry to disable security features and avoid detection.
- Technique: Obfuscated Files or Information [T1027]:
- Credential Access [TA0006]:
- Technique: Unsecured Credentials: Credentials In Files [T1552.001]:
- Procedure: StrelaStealer aims to steal email login data from well-known email clients.
- Technique: Unsecured Credentials: Credentials In Files [T1552.001]:
- Command and Control [TA0011]:
- Technique: Application Layer Protocol [T1071]:
- Procedure: StrelaStealer communicates with its C2 server over HTTP/HTTPS to exfiltrate stolen data and possibly receive further commands.
- Technique: Application Layer Protocol [T1071]:
- Exfiltration [TA0010]:
- Technique: Exfiltration Over C2 Channel [T1041]:
- Procedure: Stolen email credentials are sent back to the attacker’s C2 server, which can then be used for further attacks or espionage activities.
- Technique: Exfiltration Over C2 Channel [T1041]:
Views: 0
简体中文
Nederlands
Français
Bahasa Indonesia
日本語
Português