HIGH: Loop DoS Report

DESCRIPTION LAST UPDATED: 2024-03-20

DEFAULT SEVERITY LEVEL: HIGH

This report contains information about hosts that can be abused in a novel type of Denial-of-Service (DoS) attacks: application-layer loop DoS. Such loop DoS attacks become possible if two network services indefinitely respond to each other’s messages. The hosts contained in this file have been found to cause such endless loop patterns. If you receive this report for your network or experience abuse of such hosts, consult the advisory on how to mitigate the resulting attacks.

The application-layer loop DoS vulnerabilities were discovered by the security researchers Yepeng (Eric) Pan and Christian Rossow from the CISPA Helmholtz Center for Information Security in Germany.

To illustrate the attack vector, imagine two DNS resolvers that respond with an error message when receiving an error message as input. If an error as input creates an error as output, and a second system behaves the same, these two systems will keep sending error messages back and forth — indefinitely. The figure below shows such an example we identified among real DNS servers. An attacker can cause a loop among two faulty DNS servers by injecting a single, IP-spoofed DNS server failure message. Once injected, the servers continuously send DNS error messages back and forth, putting stress on both servers and any network link connecting them.

Loop DoS attack illustration

If you receive the report for your network, we would appreciate feedback as to the vendor/product involved. This is necessary for us to alert vendors to patch this vulnerability. You can report feedback via e-mail to loop-dos (at) shadowserver.org or simply Contact Us.

Severity levels are described here.

Filename prefix: scan_loop_dos .

Fields

  • timestamp
    The timestamp when an event was observed (UTC+0)
  • severity
    Severity level
  • ip
    IP address of the affected device.
  • protocol
    Protocol (TCP or UDP)
  • port
    TCP or UDP port identified
  • hostname
    Hostname of device (see Hostname source)
  • tag
    Additional tags for more insight
  • asn
    Autonomous System Number of the affected device
  • geo
    Country of the affected device
  • region
    Region of the affected device
  • city
    City of the affected device
  • naics
    North American Industry Classification System Code
  • hostname_source
    hostname_source
  • sector
    Sector of the IP in question
  • detail
    Set to "loop-dos" for context
  • application
    Application layer protocol (service for example, dns, ntp, tftp)

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector","detail","application"
"2010-02-10 00:00:00",high,192.168.0.1,udp,69,node01.example.com,tftp,64512,ZZ,Region,City,0,ptr,,loop-dos,tftp
"2010-02-10 00:00:01",high,192.168.0.2,udp,69,node02.example.com,tftp,64512,ZZ,Region,City,0,ptr,"Communications, Service Provider, and Hosting Service",loop-dos,tftp
"2010-02-10 00:00:02",high,192.168.0.3,udp,69,node03.example.com,tftp,64512,ZZ,Region,City,0,ptr,,loop-dos,tftp

Our 132 Report Types