DDoS Attacks Amplification
A new reflection/amplification DDoS method is being used in attacks that provides a record-breaking amplification ratio of almost 4.3 billion to 1.
Distributed Denial of Service (DDoS) attacks target servers or networks with many requests and high volumes of data, aiming to deplete their available resources and cause a service outage.
The amplification ratio is critical when conducting attacks, as the higher the number, the easier it is for threat actors to overwhelm well-protected endpoints with less firepower.
A monstrous amplification level
As detailed in a report that Akamai shared with Bleeping Computer before publication, a new attack vector relies on the abuse of insecure devices that serve as DDoS reflectors/amplifiers.
Reflection attacks start with a small packet reflected inside a closed network while its size gets amplified with each bounce. When reaching the possible upper limit, the resulting volume of traffic is channeled to the target.
For this new DDoS method, threat actors are abusing a vulnerability tracked as CVE-2022-26143 in a driver used by Mitel devices that incorporate the TP-240 VoIP interface, such as MiVoice Business Express and MiCollab.
Akamai has counted 2,600 exposed Mitel devices currently vulnerable to this amplification flaw, while the vendor is already handling remediation with the customers.
The particular driver features a traffic generation command designed to stress-test the clients, used for debugging and performance testing.
By abusing this command, attackers can generate massive network traffic from these devices. Unfortunately, this is possible because the risky command is activated by default.
Attacks in the wild
The first signs of attacks abusing Mitel devices were noticed on January 8, 2022, while the first actual attacks leveraging the vulnerable driver began on February 18, 2022.
The targets were governments, commercial enterprises, financial institutions, logistic firms, broadband access ISPs, and other important organizations.
One notable difference of this vector against most UDP reflection methodologies is that it can sustain lengthy DDoS attacks, lasting for up to 14 hours.
When evaluated from this perspective, the packet amplification ratio reaches 4,294,967,296:1, and the attack traffic can go up to 400 mpps with a sustained flood of 393mb/sec.
DDoS Attack Amplification
