300K Internet Hosts at Risk for Devastating Loop DoS Attack

Attackers can create a self-perpetuating, infinite scenario in such a way that volumes of traffic overwhelm network resources indefinitely.

A newly discovered type of self-perpetuating denial-of-service (DoS) attack targeting application-layer messages has the potential to compromise 300,000 Internet hosts and can be difficult to stop once its set in motion, researchers have found.
Researchers Yepeng Pan and professor Christian Rossow at the CISPA Helmholtz-Center for Information Security
discovered the attack
, dubbed loop DoS. It creates a type of infinite loop of responses by pairing two network services in such a way that they keep responding to one another’s messages indefinitely, according to a
post on the CISPA website
describing the attack.
This dynamic creates large volumes of traffic, resulting in DoS for any system or network involved. Moreover, once the loop is set in motion, even the attackers are unable to stop the attack, which can be triggered from just a single spoofing-capable host, the researchers said.
The attack exploits a novel traffic-loop vulnerability present in certain user datagram protocol (UDP)-based applications, according to a post by the Carnegie Mellon Universitys CERT Coordination Center. An unauthenticated attacker
can use maliciously crafted packets
against a UDP-based vulnerable implementation of various application protocols such as DNS, NTP, and TFTP, leading to DoS and/or abuse of resources.
In addition to those programs, the researchers also found the flaw in legacy protocols like Daytime, Time, Active Users, Echo, Chargen, and QOTD — all of which are widely used to provide basic functionalities on the Internet, according to the CISPA post.
The researchers put the attack on par with amplification attacks in the volumes of traffic they can cause, with two major differences. One is that attackers do not have to continuously send attack traffic due to the loop behavior, unless defenses terminate loops to shut down the self-repetitive nature of the attack. The other is that without a proper defense, the DoS attack will likely continue for a while.
Indeed,
DoS attacks
are almost always about resource consumption in Web architecture, but until now its been extremely tricky to use this type of attack to take a Web property completely offline because you have to have systems smart enough to gather an army of hosts that will call upon the victim web architecture all at once, explains Jason Kent, hacker in residence at Cequence Security.
A loop
DoS
attack changes the game considerably because the call can be coming from inside the architecture itself and then grow exponentially, he explained.
I can give Server A at an organization Server Bs address and act like I am Server B, Kent says. Server A will send Server B an error, and Server B in turn will send Server A an error, to infinity or until one of them dies.
This precludes the need for an attacker having to plan or strategize how to get millions of hosts, and can potentially cause cascading system failures that creep across environments, triggered from the outside, he says, deeming the loop DoS attack nasty.
The researchers provided four type of attack scenarios to demonstrate how a loop DoS attack might work. In the simplest scenario, an attacker can overload a vulnerable server itself, creating many loops with other loop servers to focus on a single target server. This will result in either exhausting its host bandwidth or computational resources, they said. A defender can
stop this attack
by patching the loop server to escape loop patterns.
In a second scenario, attackers can target backbones of networks that contain many loop hosts, pairing these hosts with each other to create thousands to millions of loops within the target network. To protect against such attacks from external hosts, networks can deploy IP-spoofed traffic, the researchers said.
A third attack is one in which attackers pair loop servers in such a way to congest individual Internet links. In the simplest case, this could be a target network’s uplink, the researchers wrote, adding that this can be conducted on any Internet link that loop pairs cross.
To this end, attackers pair internal loop hosts with external ones, which puts stress on the target network’s Internet uplink due to the loop traffic, the researchers explained.
A fourth and rare attack scenario is also the most devastating type, one in which loop servers would not send back a single response, but multiple, allowing for the creation of self-amplifying loops that not only continue forever, but also intensify in their loop frequency, the researchers wrote. This attack will go on continuously even if defenses incur packet loss, unless they drop all network traffic, they added.
In addition to the specific mitigations already outlined for the different loop DoS attack scenarios, there are other ways to mitigate or stop such an attack once its in motion — which is good news for the myriad
vulnerable host servers
, since fixing them all at once seems not to be practical, the researchers acknowledged.
Blocking UDP and moving to TCP-based communication with authentication and monitoring can mitigate a vulnerability to a loop DoS attack, Kent says. However, if this is not an option, system administrators may want to limit host-to-host communication in internal firewalls and networking gear, he adds.
Other mitigations suggested by the researchers include: updating or shutting down services vulnerable to a loop DoS attack; restricting service access to clients with ephemeral, or client, source ports; and identifying the vulnerable software or product in the network and informing the products vendor of the potential for exploit.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
300K Internet Hosts at Risk for Devastating Loop DoS Attack