Hacker Planned Terabytes of DDoS Traffic Using a Single Packet

DDoS attack from a single packet

• The attack exploits the CVE-2022-26143 flaw in around 2,600 MiVoice Business Express and Mitel MiCollab systems, which are incorrectly provisioned and act as PBX-to-internet gateways with a test mode exposed to the internet.
• The exploitation of the flaw started on February 18 and mainly reflected onto ports 80 and 443. The attacks were aimed at ISPs, financial institutions, and logistics businesses.

How does it work?

• The driver in Mitel systems has a command that conducts a stress test of status update packets and theoretically produces 4,294,967,294 packets in 14 hours duration with a maximum size of 1,184 bytes.
• Therefore, the testing mode of the exposed systems can be abused to launch a sustained DDoS attack of up to 14 hours using a single spoofed attack initiation packet with an amplification ratio of 4,294,967,296:1
• The Mitel system can process a single command at a time. Hence, during this process, the users may find the system unavailable while the outbound connection is soaked.

Additional insights

• Throughout the attack, the counter packets can generate around 95.5GB of amplified attack traffic aimed at the targeted network. Further, the maximally padded diagnostic output packets generate an additional 2.5TB of attack traffic.
• This yields a sustained flood of 393Mbps of attack traffic from a single reflector or amplifier resulting from a single spoofed attack initiator packet of only 1,119 bytes in length.
• Statistically, this turns out to be a flooding attack with a multiplier of 220 billion percent, triggered by a single packet with an amplification ratio of 2,200,288,816:1.

What to do?