• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 

Microsoft issues emergency patches for SharePoint zero-days exploited in "ToolShell" attacks

 | 

SharePoint zero-day CVE-2025-53770 actively exploited in the wild

 | 

Singapore warns China-linked group UNC3886 targets its critical infrastructure

 | 

U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 54

 | 

Security Affairs newsletter Round 533 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Radiology Associates of Richmond data breach impacts 1.4 million people

 | 

Fortinet FortiWeb flaw CVE-2025-25257 exploited hours after PoC release

 | 

Authorities released free decryptor for Phobos and 8base ransomware

 | 

Anne Arundel Dermatology data breach impacts 1.9 million people

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • New Loop DoS attack may target 300,000 vulnerable hosts

New Loop DoS attack may target 300,000 vulnerable hosts

Pierluigi Paganini March 21, 2024

Boffins devised a new application-layer loop DoS attack based on the UDP protocol that impacts major vendors, including Broadcom, Microsoft and MikroTik.

Researchers from the CISPA Helmholtz Center for Information Security (Germany) devised a new denial-of-service (DoS) attack, called loop DoS attack, that hundreds of thousands of internet-facing systems from major vendors.

The attack consists of pairing servers using protocols based on UDP to get them to communicate with each other indefinitely by using IP spoofing.  

“A new Denial-of-Service (DoS) attack targets application-layer protocols that draw on the User Datagram Protocol (UDP) for end-to-end communication. ‘Application-layer Loop DoS Attacks’ pair servers of these protocols in such a way that they communicate with each other indefinitely.” explained the researchers. “The vulnerability affects both legacy (e.g., QOTD, Chargen, Echo) and contemporary (e.g., DNS, NTP, and TFTP) protocols. Discovered by researchers of the CISPA Helmholtz-Center for Information Security, the attack puts an estimated 300,000 Internet hosts and their networks at risk.”

The User Datagram Protocol (UDP) is a core protocol of the Internet Protocol suite that operates at the transport layer. UDP is a simple, lightweight protocol that provides a way for applications to send datagrams, or packets of data, across a network.

UDP is considered a connectionless protocol because it does not establish a direct connection between the sender and receiver before transmitting data. Instead, it simply sends packets without waiting for acknowledgment or establishing a connection.

The technique relies on IP spoofing, an attacker can forge UDP packets with the victim’s IP address and send them to servers that will respond to the victim.

In a simplified scenario, threat actors can target two application servers running a vulnerable version of the protocol. An attacker can start sending to the first server messages using the spoofed address of the second one.

The first server will send an error message in response to the second server, returning another error message to the first server. This process is repeated indefinitely exhausting each other’s resources.

The issue impacts multiple implementations of the UDP protocol, including DNS, NTP, TFTP, Active Users, Daytime, Echo, Chargen, QOTD, and Time.

The researchers pointed out that the application-layer loop DoS attack can be triggered from a single spoofing-capable host. 

“For instance, attackers could cause a loop involving two faulty TFTP servers by injecting one single, IP-spoofed error message. The vulnerable servers would then continue to send each other TFTP error messages, putting stress on both servers and on any network link between them.” said Professor Dr. Christian Rossow who is co-author of the study.

The researchers clarified that the loops they identified at the application level are distinct from those observed at the network layer. Consequently, the packet lifetime checks currently in use at the network level are ineffective in halting application-layer loops.

“The newly discovered DoS loop attack is self-perpetuating and targets application-layer messages. It pairs two network services in such a way that they keep responding to one another’s messages indefinitely. In doing so, they create large volumes of traffic that result in a denial of service for involved systems or networks. Once a trigger is injected and the loop set in motion, even the attackers are unable to stop the attack.” continues the researchers. “Previously known loop attacks occurred on the routing layer of a single network and were limited to a finite number of loop iterations.”

Despite around 300,000 hosts and their networks being exposed to Loop DoS attacks, the researchers are not aware of attacks in the wild exploring this issue.

The researchers have published an incomplete list of hardware products that are affected, they are in contact with vendors to verify if their products are impacted. Vulnerability scans suggest that the following vendors may be affected:

  • Arris
  • Broadcom (2023-12-26)
  • Brother (2024-02-06)
  • Cisco (e.g., out-of-life 2800/2970 routers; maintained products unaffected)
  • D-Link
  • Honeywell (2024-01-03, CVE-2024-1309)
  • Hughes Network Systems
  • Microsoft (2024-02-19, in WDS)
  • MikroTik (2024-01-09)
  • PLANET Technology Corporation
  • TP-Link (e.g., out-of-life products TD-W8901G, TD-W8101G, R600VPN, WR740N, TD-W8960N)
  • Zyxel (e.g., end-of-life ZyWALL; maintained products unaffected)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DoS)


facebook linkedin twitter

Hacking hacking news information security news IT Information Security loop DoS attack Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 23, 2025
U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini July 23, 2025
Sophos fixed two critical Sophos Firewall vulnerabilities
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

    Hacking / July 23, 2025

    Sophos fixed two critical Sophos Firewall vulnerabilities

    Security / July 23, 2025

    French Authorities confirm XSS.is admin arrested in Ukraine

    Cyber Crime / July 23, 2025

    Microsoft linked attacks on SharePoint flaws to China-nexus actors

    APT / July 23, 2025

    Cisco confirms active exploitation of ISE and ISE-PIC flaws

    Hacking / July 22, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT