Akamai Researchers Say DDoS Attacks Amplification for 4 Billion Times

This week, Akamai experts discovered a unique DDoS amplification vector that can achieve a 4.3 billion to one attack repelling or amplification ratio.

The new attack vector is based on the abuse of unprotected Mitel MiCollab and MiVoice Business Express systems, which act as gateways between virtual PBXs and the Internet and have a dangerous test mode that should not be accessible from the outside. Such devices can serve as reflectors and amplifiers of DDoS attacks.

The new attacks have been dubbed TP240PhoneHome (CVE-2022-26143) and have reportedly been used to launch DDoS attacks targeting ISPs, financial institutions, logistics companies, gaming firms and others.

The researchers say that attackers abuse the mentioned vulnerability CVE-2022-26143 in the driver used by Mitel devices that are equipped with a VoIP TP-240 interface (for example, MiVoice Business Express and MiCollab).

The attacked service in vulnerable Mitel systems is called tp240dvr (TP-240 driver) and works as a software bridge to facilitate interaction with TP-240 VoIP processing interface cards. The daemon listens for commands on the UDP10074 port and is not intended for Internet access, which is confirmed by the manufacturer of these devices. But it is exposure from the internet that ultimately allows [the vulnerability] to be abused.Akamai explains.

The fact is that the mentioned driver contains a traffic generation command, which is needed for client stress testing and is usually used for debugging and performance tests. By misusing this command, attackers can generate powerful traffic from these devices. In addition, this problematic command is active by default.

Experts found about 2,600 unprotected Mitel devices on the Internet that are vulnerable to attacks and can be used to enhance DDoS, and such an attack can last about 14 hours.

The first signs of attacks using Mitel devices were noticed as early as January 8, 2022, and the first attacks using the vulnerable driver began on February 18, 2022.

The reported attacks were primarily based on packets per second and appear to be UDP reflection and amplification attacks originating from UDP 10074 and targeting UDP ports 80 and UDP 443. So far, the only major attack of this type has reached approximately 53 million packets per second and 23 Gb / s. The average packet size for this attack was approximately 60 bytes and the duration of the attack was approximately ~5 minutes. This particular attack vector differs from most UDP reflection and amplification attacks in that the vulnerability can be used to launch a sustained DDoS attack lasting up to 14 hours with just one spoofed packet, resulting in a record amplification factor of 4,294,967,296:1.the report states.

Mitel developers have already released updates for their software that disable public access to the test function. In general, the company describes the problem as an access control vulnerability that can be used to obtain confidential information, and the increase in DDoS attacks is called only a side effect.

Let me remind you that we also talked about Akamai Says Powerful DDoS Attacks Are Becoming the Norm, and also that Lucifer malware uses many exploits, is engaged in mining and DDoS attacks.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *