New Application-Layer Loop DoS Attack: Impacts 3L Online System

Cybersecurity researchers have identified a new form of denial-of-service (DoS) attack that could disrupt over 300,000 internet-connected systems worldwide.

This novel attack, which targets the application layer of network communication, has raised significant concerns due to its self-perpetuating nature and the ease with which it can be executed.

Attack Description and Impact

The newly discovered DoS loop attack is a sophisticated cyber threat that exploits vulnerabilities in network protocols.

It initiates a self-sustaining cycle of communication between two network services, causing them to respond to each other indefinitely.

This relentless exchange generates overwhelming traffic, leading to a denial of service for the affected systems or networks.

Unlike previous loop attacks confined to the routing layer and with a limited number of iterations, this new attack operates at the application layer and can continue indefinitely once triggered.

The attack’s persistence means that even the attackers cannot halt the process once it has begun.

Vulnerable Protocols

The discovery was made by researchers Yepeng Pan and Professor Dr. Christian Rossow from the Center for IT-Security, Privacy, and Accountability (CISPA).

They have identified several widely-used protocols that are susceptible to this type of attack, including:

• Trivial File Transfer Protocol (TFTP)
• Domain Name System (DNS)
• Network Time Protocol (NTP)
• Daytime Protocol
• Time Protocol
• Active Users Protocol
• Echo Protocol
• Character Generator Protocol (Chargen)
• Quote of the Day Protocol (QOTD)

These protocols serve essential functions on the internet, such as time synchronization (NTP), domain name resolution (DNS), and file transfers without authentication (TFTP).

Dawood Sajjadi, a prominent cybersecurity expert, recently tweeted about the “Loop DoS” attack which has affected hundreds of thousands of systems.

Attack Execution and Detection

The attack can be initiated by a single host with the capability of time synchronization (NTP).

For example, an attacker could trigger a loop between two vulnerable TFTP servers by sending a single spoofed error message.

The servers would then be trapped in an endless exchange of error messages, straining the servers and any network links between them.

The researchers emphasize that the application-level loops they have uncovered are distinct from previously known network-layer loops.

Consequently, traditional packet lifetime checks that operate at the network level are ineffective at interrupting these application-layer loops.

Mitigation and Response

The ease with which these attacks can be carried out is alarming.

“As far as we know, this kind of attack has not yet been carried out in the field. However, it would be easy for attackers to exploit this vulnerability if no action were taken to mitigate the risk,” Rossow explains.

In response to their findings, the CISPA researchers took proactive measures.

In December 2023, they disclosed their discovery to the affected vendors and a trusted operator community.

They also coordinated the publication of an attack-specific advisory and initiated a notification campaign in collaboration with the Shadowserver Foundation.

The discovery of this new application-layer loop DoS attack is a stark reminder of the evolving nature of cyber threats.

The potential impact on thousands of internet hosts underscores the need for continuous vigilance and prompt action to secure network protocols against such vulnerabilities.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.