March 24, 2024 at 02:47PM
Up to 300,000 servers/devices on the internet are vulnerable to a recently disclosed Loop Denial-of-Service technique, impacting UDP-based services such as TFTP, DNS, and NTP. The attack, disclosed by researchers in Germany, creates an infinite loop of error messages between servers. The method has not been exploited in the field but poses a serious risk without mitigation actions.
From the meeting notes, the key takeaways are:
1. Up to 300,000 servers or devices on the public internet are currently vulnerable to the Loop Denial-of-Service technique, especially those using certain UDP-based application-level services such as TFTP, DNS, NTP, and legacy protocols like Echo, Chargen, and QOTD.
2. The method of attack involves exploiting a vulnerability using IP address source spoofing to create an infinite loop of error messages exchanged between vulnerable servers, causing them to stop responding to legitimate requests.
3. The largest number of potentially vulnerable systems on the public internet are located in China, Russia, America, Iran, South Korea, Italy, France, Canada, and Brazil.
4. The attack method has been disclosed by researchers Christian Rossow and Yepeng (Eric) Pan at the CISPA Helmholtz Center for Information Security in Germany, and they have been working on plans to share details of the attack and begin a notification campaign in collaboration with the nonprofit Shadowserver Foundation.
5. Several products from companies such as Arris, Broadcom, Microsoft, Honeywell (CVE-2024-1309), Brother, and MikroTik, as well as out-of-support products from Cisco, TP-Link, and Zyxel, are understood to be vulnerable to Loop DoS.
6. It is important to look out for updates to network-based services to patch this vulnerability and to be proactive in mitigating the risk, as attackers could easily exploit this vulnerability if no action is taken.
Please let me know if there is anything specific you would like to focus on or any additional information you need.