UDP Protocols Under Attack, Causing Package Bouncing

A warning has been issued by the Coordination center CERT (Computer Emergency Response Team) regarding a series of vulnerabilities in the implementations of various applied protocols using the UDP protocol as transport. These vulnerabilities could lead to denial of service attacks by allowing attackers to bounce packages between two hosts. This could result in network capacity exhaustion, blocking network services, creating high loads, exceeding request restrictions, and enabling traffic amplification for DDOS attacks.

Specific vulnerable protocols mentioned in the warning include DNS, NTP, TFTP, ECHO (RFC862), Changen (RFC864), and QTD (RFC865). The presence of vulnerabilities such as CVE-2024-2169 in products from companies like Cisco, Microsoft, Broadadcom Brother, Honeywell, and Mikrotik have been confirmed. To mitigate these vulnerabilities, the CERT recommends implementing measures such as BCP38 routing filters, limiting excess UDP services access, and configuring traffic intensity and QOS restrictions.

The vulnerability stems from the insecurity of the UDP protocol, which lacks protection against address manipulation. Attackers can exploit this by manipulating IP addresses in UDP packets, causing servers to exchange responses indefinitely. For instance, a server may respond to an attacker’s packet with an error code, which in turn triggers a response from another server to the fake address set by the attacker. This results in a continuous exchange of packets between servers, known as a Ping Pong attack.

/Reports, release notes, official announcements.