Mitel VoIP systems used in staggering DDoS attacks

One malicious network packet can theoretically spark billions more against a victim

Miscreants have launched massive, amplified distributed denial-of-service attacks by exploiting a vulnerability in Mitel collaboration systems.

Their exploitation technique can, we're told, achieve an amplification factor of almost 4.3 billion to one, potentially, meaning a single malicious packet could bring down a stranger's network.

An amplification attack typically involves sending a small amount of information to a vulnerable network service that causes it to reply with a much larger amount of data. By directing that response at a victim, an attacker can put in a relatively low amount of effort while making other people's machines do all the work of flooding a selected target offline.

In this latest string of DDoS attacks, broadband ISPs, financial institutions, logistics and gaming companies, and organizations in other verticals were pummeled with network packets.

The amplified assaults were spotted last month by various vendors, network operators, and service providers. Those outfits formed a task force – which included Akamai, Cloudflare, Lumen Black Lotus Labs, Mitel, NetScout, Team Cymru, TELUS, and The Shadowserver Foundation – to investigate the internet tsunamis and determine how to mitigate them.

They found that about 2,600 MiCollab and MiVoice Business Express PBX-to-internet gateways from Mitel were incorrectly provisioned and exposing to the public internet a stress-test function that required no authentication to activate. This functionality, enabled by sending a special command to UDP port 10074, would cause the software driver for the equipment's TP-240 VoIP hardware to emit a stream of large network packets containing status information to a specific target, overwhelming it. Thus, you send a small command to a bunch of vulnerable boxes, and watch as they all fire off jets of updates at a chosen victim.

Mitel is working with customers regarding the vulnerability – tracked as CVE-2022-26143 – including releasing a patch.

In a write-up mirrored this week on the websites of the task force's members, we're told that the security flaw was abused to send, in one case, 53 million packets per second, totaling 23Gbps, for about five minutes.

"This particular attack vector differs from most UDP reflection/amplification attack methodologies in that the exposed system test facility can be abused to launch a sustained DDoS attack of up to 14 hours in duration by means of a single spoofed attack initiation packet, resulting in a record-setting packet amplification ratio of 4,294,967,296:1," the task force added.

"A controlled test of this DDoS attack vector yielded more than 400 Mpps of sustained DDoS attack traffic."

Indeed, in lab tests the researchers were able to push the hardware to generate massive amounts of traffic in response to what they described as "comparatively small request payloads." They noted that the miscreants' ability to initiate floods with just a few packets helped mask the infrastructure from which the assault was launched, making it difficult for network operators to identify point of origin.

Cybersecurity organizations saw spikes of network traffic linked to the vulnerability on January 8 and February 7; the first actual attacks started February 18.

Typically, in an amplification attack a miscreant has to send a flow of malicious traffic to a service to sustain the flood. In the case of this software driver, dubbed tp240dvr, no such flow is needed: one command will set off it, we're told.

"Instead, an attacker leveraging TP-240 reflection/amplification can launch a high-impact DDoS attack using a single packet," the task force wrote.

"Examination of the tp240dvr binary reveals that, due to its design, an attacker can theoretically cause the service to emit 2,147,483,647 responses to a single malicious command. Each response generates two packets on the wire, leading to approximately 4,294,967,294 amplified attack packets being directed toward the attack victim."

There is some good news in this. The vulnerable service can only handle one such command at a time, which means only one attack at a time. If one of the systems is being used in a DDoS over a particular time, it can't be used for other attacks during that period. In addition, the equipment itself isn't built for performance, and thus a lot of them are needed for a non-trivial DDoS. The researchers also noted the traffic can be detected and mitigated using standard DDoS tools and techniques.

Microsoft, for one, in recent months has fended off two massive attacks against its Azure cloud, with company officials pointing to the rise of inexpensive DDoS services that enable inexperienced threat actors to launch them. In addition, the proliferation of Internet of Things (IoT) devices means there are more network-connected gadgets out there for crooks to hijack and press gang into DDoS-launching botnets.

CrowdStrike said in a report released earlier this year that malware targeting Linux-based IoT devices with the primary goal of absorbing them into a DDoS botnet jumped 35 percent year-over-year in 2021. ®

Other stories you might like

Biting the hand that feeds IT © 1998–2022