German researchers have discovered a vulnerability in Internet protocols that could theoretically affect hundreds of thousands of servers. The vulnerability triggers a “DoS loop” that is difficult to stop.

The Helmholtz Center CISPA from Saarbrücken warns of a vulnerability that could potentially claim many victims. Some commonly used Internet protocols are vulnerable, including NS, NTP, and TFTP, as well as a handful of older protocols. According to the researchers, 300,000 Internet hosts and connected networks could be affected worldwide, including in Europe, although the vulnerability has not yet been actively exploited.

Vicious circle

The vulnerability differs from traditional DoS attacks in that it targets the application layer of the protocols rather than the network layer. The result is a continuous cycle of DoS attacks: network services become interconnected in such a way that they respond indefinitely to each other’s error messages.

As a result, they generate large amounts of data traffic, which leads to a Denial of service for affected systems or networks. Once the circle has started, it is difficult to break: even an attacker cannot stop the DoS loop, the researchers warn.

Easy to exploit

The vulnerability is not being actively exploited yet, but according to the researchers it is not that difficult. The attack is based on IP spoofing and an attacker only needs to inject a single error message into a server to initiate the loop. Then they continue to send each other error messages.

The researchers call for urgent action and visited providers of network servers and devices at the end of 2023 with their findings. Products from Microsoft, Huawei, Broadcom, Cisco, D-Link, TP-Link and Zyxel are among those vulnerable. Watch for updates to network services and implement them as quickly as possible. Code is also available via GitHub to identify potentially vulnerable IT services.