Security researchers, network operators and security vendors have detected a new reflection\/amplification distributed denial-of-service (DDoS) vulnerability actively being exploited to launch multiple high-impact DDoS attacks. TP240PhoneHome (CVE-2022-26143) has a record-breaking potential amplification ratio of 4,294,967,296:1 and can be targeted to abuse collaboration systems produced by Mitel with the potential to cause significant collateral impact to businesses.Attacks have been observed on broadband access ISPs, financial institutions, logistics companies, gaming companies, and organizations in other vertical markets. Mitel has released patched software that disables the abusable test facility whilst attacks can be mitigated using standard DDoS-defense techniques. The findings come from a collaborative research and mitigation task force effort with contributors including NETSCOUT, Akamai, Cloudflare and Mitel.DDoS attacks target MiCollab and MiVoice systemsA spike in DDoS attacks sourced from User Datagram Protocol (UDP) port 10074 was observed in mid-February 2022. Upon further investigation, it was determined that the devices abused to launch these attacks were MiCollab and MiVoice, primarily used to provide internet-based site-to-site voice connectivity for PBX systems, according to a blog post by NETSCOUT\u2019s ATLAS Security Engineering and Response Team (ASERT).\u201cApproximately 2,600 of these systems have been incorrectly provisioned so that an unauthenticated system test facility has been inadvertently exposed to the public internet, allowing attackers to leverage these PBX VoIP gateways as DDoS reflectors\/amplifiers,\u201d ASERT said. Mitel is aware of the issues and has been actively working with customers to remediate abusable devices.Vector differs from most UDP reflection\/amplification attack methodsObserved attacks were primarily predicated on packets per second (pps), or throughput, and appeared to be UDP reflection\/amplification attacks sourced from UDP\/10074 that were mainly directed toward destination ports UDP\/80 and UDP\/443, ASERT explained. Interestingly, ASERT said that the vector differs from the majority of UDP reflection\/amplification attack methodologies in that the exposed system test facility can be abused to launch a sustained DDoS attack of up to 14 hours in duration via a single spoofed attack initiation packet. \u201cA controlled test of this DDoS attack vector yielded more than 400 Mpps of sustained DDoS attack traffic.\u201dASERT also noted that this single-packet attack initiation capability has the effect of precluding network operator traceback of the spoofed attack initiator traffic, which helps to mask the attack traffic generation infrastructure and make it less likely that the origin is traced compared with other UDP reflection\/amplification DDoS attack vectors.Attacks target TP-240 driver via internet exposureThe abused service on affected Mitel systems is called tp240dvr (TP-240 driver) and its exposure to the internet allows attackers to exploit it to run a software bridge to facilitate interactions with TDM\/VoIP PCI interface cards. \u201cThe service listens for commands on UDP\/10074 and is not meant to be exposed to the internet, as confirmed by the manufacturer of these devices,\u201d ASERT said. \u201cThe tp240dvr service exposes an unusual command that is designed to stress test its clients in order to facilitate debugging and performance testing. This command can be abused to cause the tp240dvr service to send this stress test to attack victims. The traffic consists of a high rate of short informative status update packets that can potentially overwhelm victims and cause the DDoS scenario.\u201dThe command can also be abused by attackers to launch very high-throughput attacks. Researchers were able to force devices to generate large amounts of traffic in response to comparatively small request payloads.Threats to organizations significant despite limited attack simultaneityThe threats posed to organizations with internet-exposed Mitel MiCollab and MiVoice Business Express collaboration systems are potentially significant, ASERT warned. \u201cThis may include partial or full interruption of voice communications through these systems, as well as additional service disruption due to transit capacity consumption, state-table exhaustion of network address translations, stateful firewalls, and so forth.\u201d This is despite the fact that the tp240dvr service can only be used to launch one attack at a time and that the devices are on relatively low-powered hardware in terms of their traffic-generation capabilities, ASERT added.\u201cAmplification greatly increases the potency of DDoS attacks; the greater the amplification, the easier it is to overwhelm defenses,\u201d Netenrich principal threat hunter John Bambenek tells CSO. \u201cIf you can send more attack traffic than an organization can handle (with whatever defenses they have protecting them) then they are offline.\u201d This is greatly heightened during times of geopolitical conflict as DDoS is often the first tool activists, governments, and bystanders looking for attack techniques, he says.Mitigating the risks of amplified DDoS attacks\u201cOperators of internet-exposed TP-240-based Mitel MiCollab and MiVoice Business Express collaboration systems can prevent abuse of their systems to launch DDoS attacks by blocking incoming internet traffic destined for UDP\/10074 via ACLs, firewall rules, and other standard network access control policy enforcement mechanisms,\u201d ASERT wrote. Furthermore, amplified attack traffic can be detected, classified, traced, and safely mitigated using standard DDoS defense tools and techniques.\u201cFlow telemetry and packet capture via open-source and commercial analysis systems can alert network operators and end customers,\u201d ASERT said, while network access control lists, flowspec, destination-based remotely triggered blackhole, source-based remotely triggered blackhole, and intelligent DDoS mitigation systems can also be used, it continued.\u201cMitel has provided patched software versions that prevent TP-240\u2013equipped MiCollab and MiVoice Business Express collaboration systems from being abused as DDoS reflectors\/amplifiers by preventing exposure of the service to the internet, and Mitel customers should contact the vendor for remediation instructions,\u201d ASERT said.