UDP-based network communications face critical denial-of-service attacks

A novel attack technique is found capable of launching a looped denial of service (DoS) attack between a pair of network applications, blocking legitimate access to their respective servers indefinitely.

This is an application layer attack, targeted at systems running a vulnerable transport layer protocol — user datagram protocol (UDP) — that inherently lacks request verification because of its connection-less nature.

“Application-layer loop DoS attacks rely on IP spoofing and can be triggered from a single spoofing-capable host,” CISPA, the German research firm that made the discovery, said in a blog. “The attacks pair two network services in such a way that they keep responding to one another’s messages indefinitely.”

The application layer is the topmost in the conceptual layers of a typical communication system which also includes physical, data link, network, transport, session, and presentation layers in that order.

Faster yet less-secure protocol

UDP is a transport layer protocol responsible for transporting data packets across network systems that are communicating using application layer protocols. Designed specifically for time-sensitive transmissions like video playback or DNS lookups, UDP works on a connection-less principle which allows it to transfer data without establishing a connection between the involved systems.

The faster transmission is sometimes a risky trade-off as the inherent nature of UDP can cause data to be lost in transit or, in this case, allow attackers to carry out DDoS attacks. The inherent UDP vulnerability is tracked as CVE-2024-2169.

“Implementations of UDP application protocol are vulnerable to network loops,” according to the vulnerability’s NVD entry. “An unauthenticated attacker can use maliciously crafted packets against a vulnerable implementation that can lead to Denial of Service (DOS) and/or abuse of resources.”

CISPA researchers explained the attack loop can be initiated by sending one single IP-spoofed error message to either of a pair of faulty servers. “The vulnerable servers would then continue to send each other error messages, putting stress on both servers and on any network link between them,” the researchers said in the blog.

Once a trigger is injected and the loop set in motion, even the attackers are unable to stop the attack, according to the blog.

The vulnerability affects legacy protocols including Daytime, Time, Active Users, Echo, Chargen, and QOTD, as well as contemporary protocols like TFTP, DNS, and NTP, of the application layer.

Switching to TCP can help

Although no known exploits of this vulnerability have been reported to date, CISPA warns that the vulnerability has the potential to affect close to 300,000 internet hosts, along with the networks they expose.

“As far as we know, this kind of attack has not yet been carried out in the field. It would, however, be easy for attackers to exploit this vulnerability if no action were taken to mitigate the risk”, said Christian Rossow, one of the CISPA researchers who made the discovery, in the blog.

The Transmission Control Protocol (TCP) is a more reliable transport layer protocol, albeit not as fast as UDP, that establishes a connection between systems only after an automated verification process called “handshake” has happened between the involved systems.

Adding an extra layer of request validation on UDP transmissions or switching them out entirely with TCP implementations can help prevent the exploitation of this vulnerability.