Attackers Create Terabytes of DDoS Attack Data Using a Single Packet

Security researchers have disclosed a new type of attack that amplifies the original packet by a ratio of more than 4 billion to one. The attack is distributed and uses a single packet as a starting point.

A DDoS attack from a single packet is made possible by a flaw in about 2,600 Mitel MiVoice Business Express and MiCollab systems that were incorrectly set up to act as PBX-to-internet gateways. CVE-2022-26143: TP240PhoneHome reflection/amplification DDoS attack.

Security vulnerabilities are a serious problem for companies. In the first attack, a flaw in the company’s system was taken advantage of by hackers. They exploited the vulnerability and primarily focused on ports 80 and 443. The attack was aimed at ISPs, financial institutions, and logistics businesses.


How does it work?

In 14 hours, the Mitel systems driver is theoretically capable of producing 4,294,967,294 packets. The maximum size is 1,184 bytes.

Online testing can be abused to launch a DDoS attack. Testing mode is the feature of the exposed server that the hacker can use to attack. The attacker can spoof a packet to initiate the attack, and this packet will have an amplification ratio of 4,294,967,296:1.

The Mitel system may only process a single command at a time. If this system is unavailable, users may find themselves unable to access other features on the system.


Additional information

Researchers explained an additional method to enhance the attack’s power. This is done by using a targeted network’s own features against it. The attack generates an enormous amount of traffic, enough to cripple most networks. Even worse, the attack is amplified even more with a feature that lets the attacker “pad” their data packets. This creates an additional 2.5TB in traffic, making it virtually impossible for the targeted network to take in any data.

If a single packet triggers 220 billion percent more attack traffic, then it’s a pretty scary flood. Such a sustained flood of 393Mbps comes from a spoofed packet of 1,119 bytes in length from one source. Statistically, this is a flooding attack that multiplies the original packet by 2,200,288,816:1.

To protect against UDP 10074 attacks, Mitel users should update their systems with the latest patches and block traffic on this port. This malicious attack can be detected and blocked by standard network defense tools. On the receiving end of the attack, it’s important to use DDoS defenses too.