Keypoints
- Application-layer Loop DoS pairs two UDP-based application services so they repeatedly respond to each other, generating sustained traffic until service or network is degraded.
- The attack affects both legacy protocols (Daytime, Time, Active Users, Echo, Chargen, QOTD) and contemporary protocols (TFTP, DNS, NTP).
- A single IP-spoofing-capable host can inject a trigger (e.g., a crafted error message) to start the loop between two vulnerable services.
- Once initiated the loop is self-perpetuating and cannot be interrupted by traditional network-layer packet lifetime checks.
- CISPA estimates roughly 300,000 Internet hosts are vulnerable based on confirmed implementations.
- Example exploitation involves inducing two faulty TFTP servers to exchange error messages indefinitely, stressing both servers and intervening links.
MITRE Techniques
- [T1566] Phishing – Used to deliver StrelaStealer via email attachments (‘Attackers initiate a large-scale email campaign with attachments that eventually launch the StrelaStealer’s DLL payload.’)
- [T1204] User Execution – Victims are tricked into executing a JScript file from an attachment to run the payload (‘Victims are tricked into executing a JScript file from a ZIP attachment, leading to the execution of the StrelaStealer payload.’)
- [T1543] Create or Modify System Process – The malware creates a service on the system to maintain persistence (‘The StrelaStealer payload creates a service on the system to maintain persistence.’)
- [T1027] Obfuscated Files or Information – The payload uses obfuscation to hinder analysis and evade detection (‘StrelaStealer employs updated obfuscation techniques in the DLL payload to make analysis difficult and evade detection.’)
- [T1140] Deobfuscate/Decode Files or Information – A JScript decodes a Base64 file into a PE DLL (‘The JScript file decodes a Base64-encrypted file, resulting in the creation of a Portable Executable (PE) DLL file.’)
- [T1112] Modify Registry – Malware modifies Windows registry to disable security features (‘StrelaStealer modifies the Windows registry to disable security features and avoid detection.’)
- [T1552.001] Unsecured Credentials: Credentials In Files – The malware targets stored email credentials in client files (‘StrelaStealer aims to steal email login data from well-known email clients.’)
- [T1071] Application Layer Protocol – Stolen data and commands are exchanged with C2 over HTTP/HTTPS (‘StrelaStealer communicates with its C2 server over HTTP/HTTPS to exfiltrate stolen data and possibly receive further commands.’)
- [T1041] Exfiltration Over C2 Channel – Stolen credentials are sent to an attacker-controlled C2 server (‘Stolen email credentials are sent back to the attacker’s C2 server, which can then be used for further attacks or espionage activities.’)
Indicators of Compromise
- No IoCs Found
Application-layer Loop DoS attacks exploit UDP-based application protocols by creating a persistent request/response loop between two vulnerable services. An attacker injects a single spoofed message (for example, a TFTP error packet) that causes both services to generate responses targeted at each other; those responses in turn trigger further responses, producing an indefinite, self-sustaining exchange of application-layer messages that amplifies traffic on the involved hosts and network links.
The technique requires only one spoofing-capable host to start the loop and bypasses standard network-layer defenses: packet lifetime checks (e.g., TTL) do not interrupt these application-layer exchanges because the messages are valid at the application level. Confirmed vulnerable implementations include TFTP, DNS, and NTP and the legacy protocols Daytime, Time, Active Users, Echo, Chargen, and QOTD, yielding an estimated attack surface of roughly 300,000 hosts.
Because the loop is self-perpetuating, mitigation focuses on fixing protocol implementations to avoid generating unconditional responses to spoofed or unexpected application messages, deploying anti-spoofing (BCP 38) to prevent source address forgery, and hardening services to validate request context before replying; once a loop is active, it persists until one of the endpoints or the network path is altered or the vulnerable implementation is patched.
Read more: https://cispa.saarland/group/rossow/Loop-DoS