There is a new denial-of-service (Loop DoS attack) vector that has been discovered. This attack vector targets application-layer protocols that are based on User Datagram Protocol (UDP), which puts hundreds of thousands of hosts at risk.

Loop denial of service attacks are a method that involves pairing “servers of these protocols in such a way that they communicate with each other indefinitely,” according to researchers at the CISPA Helmholtz-Center for Information Security.

You might be interested in: Fortinet Identifies Severe SQL Injection Vulnerability In FortiClientEMS Software

UDP is a connectionless protocol that does not authenticate source IP addresses. As a result, it is vulnerable to IP spoofing since it does not validate source IP addresses.

As a result, a mirrored denial-of-service attack (also known as a Loop DoS attack is created when an attacker forges many UDP packets to include an IP address of a victim. This causes the destination server to respond to the victim rather than the threat actor.

In the most recent research, it was discovered that particular implementations of the UDP protocol, such as DNS, NTP, TFTP, Active Users, Daytime, Echo, Chargen, QOTD, and Time, have the potential to be weaponized in order to generate an attack loop that can perpetuate itself.

“It pairs two network services in such a way that they keep responding to one another’s messages indefinitely,” according to the university researchers. As a consequence of their actions, they generate a significant amount of traffic, which leads to a denial-of-service for the systems or networks that are involved. Even the attackers are unable to stop the attack after a trigger has been introduced and the loop has been set in motion.

To put it another way, if there are two application servers that are running a vulnerable version of the protocol, a threat actor can commence communication with the first server by spoofing the address of the second server. This will cause the first server to respond to the victim, which is the second server, with an error message.

The victim, on the other hand, will follow a similar pattern of behavior, sending another error message to the initial server. This will effectively deplete the resources of both servers, causing either of the services to become unresponsive.

Yepeng Pan and Christian Rossow provided an explanation that stated, “If an error as input creates an error as output, and a second system behaves the same, then these two systems will continue sending error messages back and forth indefinitely.”

An estimated 300,000 hosts and their networks are susceptible to being exploited in order to carry out Loop DoS assaults, according to CISPA.

The researchers noted that exploitation is easy and that many products from Broadcom, Cisco, Honeywell, Microsoft, MikroTik, and Zyxel are affected by the assault. Although there is presently no evidence that the attack has been weaponized in the wild, the researchers warned that the attack contains multiple vulnerabilities.

According to the researchers, in order for loops to be triggered, attackers need just a single host that is capable of spoofing. “As such, it is important to keep up initiatives to filter spoofed traffic, such as BCP38.”



Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center