New vulnerabilities in four tunneling protocols have let attackers hijack 4.2 million internet hosts, including VPN servers, home, and enterprise routers, making it possible for them to hijack the devices and access corporate and home networks.
Attackers can abuse these vulnerable hosts as one-way proxies, which can let them launch a broad range on anonymous attacks, many of them on private networks, said Top10VPN researchers in a Jan. 15 blog post.
The researchers said the attacks include new denial-of-service (DoS) techniques and DNS spoofing, which in turns allows for traditional DoS attacks, TCP hijacking, SYN floods and Wi-Fi attacks.
According to the researchers, the vast majority of the attacks have been in Brazil, China, France, Japan, and the United States.
Jason Soroko, senior fellow at Sectigo, explained that these flaws let attackers spoof source addresses and route packets through unsuspecting hosts, enabling malicious traffic to appear legitimate. Soroko said the real danger lies in the variety of attacks this makes possible, including stealthy DDoS, DNS spoofing, unauthorized network access, and infiltration of IoT devices.
“Security and networking teams should ensure that tunneled traffic is only accepted from trusted endpoints,” said Soroko. “They should implement proper source validation, apply vendor patches for affected products, and deploy strict firewall rules. Hardening tunneling configurations and verifying that authentication checks are in place will greatly reduce exposure, preventing attackers from abusing these protocols to launch anonymous attacks.”
Trey Ford, chief information security officer at Bugcrowd, said tunneling and amplification-based attacks are an age-old problem. He said they've been used in various ways for the last 30 years, ranging from Kevin Mitnick's SYN flood DoS in the early '90s, through DNS recursion in the early 2000s, to including other protocols including NTP, LDAP, Memcached in the 2010s.
“Security teams should take the time to harden edge devices,” said Ford. “Anything connected to the internet is exposed to unexpected and uninvited traffic — narrowing the scope of where listening services are willing to accept requests from is always a good idea. If customers are not using these services, they should be shut down."