Researchers at the KU Leuven university in Belgium discovered a security flaw in millions of tunneling hosts worldwide, allowing hackers to abuse servers for their own purposes. The researchers discovered three new DoS attacks, enabled by the poor configuration.
Researchers at KU Leuven university in Belgium have uncovered a security problem in millions of so-called tunneling hosts worldwide. The vulnerable servers can be abused by hackers to hide their identities, gain access to private networks or carry out DoS(Denial of Service) attacks.
Millions of servers vulnerable
Tunneling hosts connect computer networks together, but in many cases appear to be poorly secured. Researchers from the DistriNet group at KU Leuven analyzed millions of servers worldwide with test packets and found that over four million hosts were vulnerable. Most of the insecure servers are in China, France, Japan and the U.S., but Telenet customers in Flanders were also found to be susceptible.
The problem lies with the widely used protocols IP in IP and GRE(Generic Routing Encapsulation). These do not support encryption or sender authentication, requiring additional security via Internet Protocol Security. In practice, this often does not appear to be implemented. In total, the researchers found 3.5 million vulnerable hosts with IPv4 addresses and 700,000 with IPv6 addresses.
Three new attacks
The researchers also discovered three new attack methods that exploit insecure tunneling hosts.
- Ping-Pong attack: With this attack, criminals send packets endlessly back and forth between servers, overloading networks.
- Tunnelled Temporal Lensing attack: Packets in this case take different routes to a target and arrive simultaneously, causing an explosion in network traffic. Again, overloading is the goal.
- Economic DoS attack: Hackers send huge amounts of data, causing victims to incur high costs.
These attack techniques can have serious consequences for businesses and governments that depend on stable networks.
Importance of secure configuration
The researchers shared their findings with organizations and companies worldwide, including the Shadowserver Foundation and Carnegie Mellon University’s Cyber Emergency Response Team (CERT). In Flanders, Telenet was also informed.
To mitigate the risk, it is crucial that organizations configure tunneling hosts correctly. This can be done by only allowing traffic from trusted IP addresses and using protocols with encryption and authentication.