The new type of DDoS attack targets application-level protocols and affects both outdated protocols (such as QOTD, Chargen, Echo) and modern ones (DNS, NTP, and TFTP), putting approximately 300,000 internet hosts and their networks worldwide at risk, according to a CISPA report. A host is a computer or other device connected to a network; it can function as a server, offering information resources, services, and applications to users or other hosts on the network.

"A cyclic attack combines two network services in such a way that they continue to respond to each other's messages endlessly. In doing so, they generate enormous volumes of traffic, leading to the denial of service of the involved systems or networks. Once a trigger is introduced and the cycle is initiated, not even the attackers can stop the attack," write CISPA experts Yepeng Pan and Christian Rossow. Previously known cyclic attacks occurred at the routing level of a single network and were limited to a finite number of iterations, they add.

The vulnerable protocols are widely used to provide basic functions on the internet. NTP, for example, allows time synchronization between computers, DNS maps domain names to their corresponding IP addresses, and TFTP allows file transfers without user authentication. "As far as we know, such attacks have not yet been conducted in the field," says Rossow. "It would be easy for attackers to exploit this vulnerability if no measures were taken to mitigate the risk."

A well-forgotten old thing

Overall, the idea that attackers might exploit is not new, experts note. It is based on the fact that the UDP protocol does not verify the authenticity of the request's source. Therefore, by using spoofing (the alteration of the request source's IP address), traffic can be redirected to another recipient. This is quite an obvious concept, usually covered in the first courses of information security programs at universities.

Indeed, the principle by which this network exploitation technique works is many years old and was encountered as far back as the 1990s. Loop DoS is compared to an out-of-office email auto-reply: it can be set up to respond to those who send emails in the absence of the recipient, such as when the recipient is traveling. Similarly, in this case, the "auto-reply" can, by interacting with devices that have the same "auto-reply," create an endless loop, clogging all channels and ultimately disrupting a business. Companies now need to identify devices operating under this protocol and decide how to protect themselves.

The essence of loop attacks is that both sides send incorrect requests and "error" responses. These responses are perceived by the other side as incorrect requests, which are once again responded to with "error" messages, continuing indefinitely. If the traffic is intercepted and the flow of request-errors is stopped, the other side will cease responding, and the attack will be interrupted. This can be achieved with solutions like Anti-DDoS, IPS, and NGFW.

Ideas for attackers are readily available. The danger lies either in finding a way to apply a seemingly harmless tool in an unconventional manner or in discovering specific features of standards relied upon by many vendors. This is why such discoveries can be destructive: they do not affect a specific product from one vendor due to, for example, coding errors, but rather an entire class of products, each of which may be vulnerable through the common standard of their implementation.

The situation is serious

If CISPA's finding is confirmed, it would indeed be very serious: In terms of significance, it could be compared to DNS amplification attacks (from Latin amplifico — 'to increase,' amplification — enhancement of a DDoS attack using various algorithms).

The pattern discovered by the German researchers is a clear example of a situation where the presence of an amplifier in the network can harm all its operators. The attacker requires minimal effort: by sending a single packet to establish interaction between vulnerable servers. The attack will then proceed autonomously, maintaining stable power and sustaining itself.

The main problem preventing the defeat of amplification attacks once and for all is that they typically do not affect the owner of the vulnerable server but rather someone else. The owner of the equipment might not even be aware that certain software is running and participating in attacks. For this reason, old vulnerable servers are not "patched," and this remains on the internet, constantly participating in attacks.

The scale of the problem

Experts cannot definitively answer how significant the figure of 300,000 hosts is. Modern botnets can be even larger, reaching millions of hosts. However, the danger of loop DoS attacks lies in the fact that once a loop is initiated, it can trigger a packet exchange that may continue indefinitely. On the other hand, only servers vulnerable to such an exploit can become victims.

Moreover, the fact that CISPA found 300,000 hosts does not mean they examined all hosts. In absolute terms, it seems small, but it’s important to consider that some vendors may have only a few hosts providing services via the UDP protocol, such as DNS servers for their users. Many providers typically have only a couple of such servers. Thus, the number of potentially vulnerable service vendors could be in the tens of thousands. While this is somewhat of a simplification, it clearly demonstrates that the impact zone could be very large, even if there are only 300,000 vulnerable hosts.

The landscape of attacks

According to StormWall, the number of DDoS attacks worldwide increased by 63% in 2023, primarily due to geopolitical factors. At the same time, individual DDoS attacks in 2023 set new records in terms of power and duration.