Ouch
I wouldn't want to be on the receiving end of that
Miscreants have launched massive, amplified distributed denial-of-service attacks by exploiting a vulnerability in Mitel collaboration systems. Their exploitation technique can, we're told, achieve an amplification factor of almost 4.3 billion to one, potentially, meaning a single malicious packet could bring down a stranger's …
Presumably they were part of the party as it was known their devices were generating the flood?
Does sound a like an "Who, me?" or an "oops" or "ohno-second" moment on behalf of their developers though, to have such a stress-test service just sitting there ready to be attacked, without any serious means of authentication, etc.
According to Ars Technica, Mitel recommends that the stress tests should only be reachable internally, but that was apparently not the default configuration. Their update just "automatically ensure[s] the test feature is available inside an internal network."
Oddly, there was no mention of adding authentication to the stress test 'feature.' Presumably it's still open to abuse by disgruntled employees or hackers with an APT foothold. That seems less than ideal.
Back in he days, using such test functionality would have required opening the case, flipping the positions of 10 dip switches on the config panel, closing the case again, pushing the hidden "test enable" button that you only could reach inserting a small needle into the corresponding port. That's when the device would finally react to the "test-enable" packets.
I guess the Internet of Things made all that much easier. Who'd want to touch hardware anyway.
Back in the days when Token Ring was a viable network it came with a comprehensive suite of management protocols that could monitor the network's performance and error states. One of the management elements monitored congestion and signalled when the ring was overloaded. This signalling was done by sending management traffic on the network. So guess what happened when a ring became saturated...