Security researchers from Akamai, Cloudflare, Lumen Black Lotus Labs, Mitel, Netscour, Team Cymru, Telus, and The Shadowserver Foundation have disclosed denial-of-service attacks with an amplification ratio that surpasses 4 billion to one that can be launched from a single packet.
Dubbed CVE-2022-26143, the flaw resides in around 2,600 incorrectly provisioned Mitel MiCollab and MiVoice Business Express systems that act as PBX-to-internet gateways and have a test mode that should not be exposed to the internet.
“The exposed system test facility can be abused to launch a sustained DDoS attack of up to 14 hours in duration by means of a single spoofed attack initiation packet, resulting in a record-setting packet amplification ratio of 4,294,967,296:1,” a blog post on Shadowserver explains.
“It should be noted that this single-packet attack initiation capability has the effect of precluding network operator traceback of the spoofed attack initiator traffic. This helps mask the attack traffic generation infrastructure, making it less likely that the attack origin can be traced compared with other UDP reflection/amplification DDoS attack vectors.”
A driver in the Mitel systems contains a command that performs a stress test of status update packets, and can theoretically produce 4,294,967,294 packets across 14 hours at a maximum possible size of 1,184 bytes.
“This would yield a sustained flood of just under 393Mbps of attack traffic from a single reflector/amplifier, all resulting from a single spoofed attack initiator packet of only 1,119 bytes in length,” the blog says.
“This results in a nearly unimaginable amplification ratio of 2,200,288,816:1 — a multiplier of 220 billion percent, triggered by a single packet.”
Thankfully, it turns out the Mitel system can only process a single command at a time, so if a system is being used for DDoS, actual users may wonder why it is unavailable and the outbound connection is being soaked, the blog states.
Besides updating the systems, Mitel users can detect and block inappropriate incoming traffic on UDP port 10074 with standard network defence tools, it adds. Those on the receiving end of the attack are advised to use DDoS defences.
The first attacks using the exploit began on February 18, these were reflected mainly onto ports 80 and 443, and targeted ISPs, financial institutions and logistics companies.