Researchers Discover DDoS Attack Vector with 4 Billion-Fold Amplification

This week, experts from Akamai uncovered a unique DDoS amplification vector that enables attackers to achieve a reflection or amplification ratio of 4.3 billion to one. The new attack method exploits unsecured Mitel MiCollab and MiVoice Business Express systems, which act as gateways between virtual PBXs and the internet and contain a dangerous test mode that should not be accessible externally. These devices can serve as reflectors and amplifiers for DDoS attacks.

TP240PhoneHome Vulnerability (CVE-2022-26143)

The new attacks have been named TP240PhoneHome (CVE-2022-26143), and reports indicate they have already been used to launch DDoS attacks targeting internet service providers, financial institutions, logistics companies, gaming firms, and other organizations.

Researchers explain that attackers exploit the CVE-2022-26143 vulnerability in a driver used by Mitel devices equipped with the VoIP TP-240 interface (such as MiVoice Business Express and MiCollab).

“The vulnerable service in affected Mitel systems is called tp240dvr (TP-240 driver) and acts as a software bridge to facilitate interaction with VoIP TP-240 interface cards,” Akamai experts explain. “The daemon listens for commands on UDP port 10074 and is not intended to be accessible from the internet, as confirmed by the device manufacturer. However, internet exposure ultimately allows the vulnerability to be abused.”

How the Attack Works

The driver in question contains a traffic generation command used for stress-testing clients and typically for debugging and performance testing. By abusing this command, attackers can generate powerful traffic streams from these devices. Notably, this problematic command is enabled by default.

Specialists found about 2,600 unsecured Mitel devices online that are vulnerable to attack and can be used for DDoS amplification. Such an attack can last up to 14 hours.

Timeline and Impact

• The first signs of attacks using Mitel devices were observed on January 8, 2022.
• The first attacks exploiting the vulnerable driver began on February 18, 2022.

“The recorded attacks mainly focused on packets per second and appeared to be UDP reflection and amplification attacks originating from UDP port 10074 and targeting UDP ports 80 and 443,” the report states. “So far, the only major attack of this type reached about 53 million packets per second and 23 Gbps. The average packet size for this attack was about 60 bytes, and the attack lasted approximately 5 minutes.

This particular attack vector differs from most UDP reflection and amplification attacks in that the vulnerability can be used to launch a sustained DDoS attack lasting up to 14 hours with just a single spoofed packet, resulting in a record amplification ratio of 4,294,967,296:1.”

Mitigation and Updates

Mitel has already released software updates that disable public access to the test function. The company describes the issue as an access control vulnerability that could be used to obtain confidential information, with DDoS amplification being a side effect.