back to article Mitel VoIP systems used in staggering DDoS attacks

Miscreants have launched massive, amplified distributed denial-of-service attacks by exploiting a vulnerability in Mitel collaboration systems. Their exploitation technique can, we're told, achieve an amplification factor of almost 4.3 billion to one, potentially, meaning a single malicious packet could bring down a stranger's …

  1. Anonymous Coward
    Anonymous Coward

    Ouch

    I wouldn't want to be on the receiving end of that

  2. TeeCee Gold badge
    Thumb Up

    The fact that list of the gang of whitehats originally investigating the problem includes Mitel, whose shiteware turned out to be responsible for it, caused me to ROFLMFAO!

    1. Anonymous Coward
      Anonymous Coward

      Presumably they were part of the party as it was known their devices were generating the flood?

      Does sound a like an "Who, me?" or an "oops" or "ohno-second" moment on behalf of their developers though, to have such a stress-test service just sitting there ready to be attacked, without any serious means of authentication, etc.

  3. Mike 137 Silver badge

    "a stress-test function that required no authentication to activate"

    Once again, someone wasn't thinking - do they ever these days?

    Access to any test functionality absolutely must be restricted to legitimate users - just like config. It's an admin function.

  4. fidodogbreath
    Facepalm

    man wtf

    According to Ars Technica, Mitel recommends that the stress tests should only be reachable internally, but that was apparently not the default configuration. Their update just "automatically ensure[s] the test feature is available inside an internal network."

    Oddly, there was no mention of adding authentication to the stress test 'feature.' Presumably it's still open to abuse by disgruntled employees or hackers with an APT foothold. That seems less than ideal.

    1. SImon Hobson Silver badge

      Re: man wtf

      I would suggest that something like that should default to disabled. Few users will ever need to use it, so why have it available at all without then having to do something active to enable it ?

      1. fch

        Re: man wtf

        Back in he days, using such test functionality would have required opening the case, flipping the positions of 10 dip switches on the config panel, closing the case again, pushing the hidden "test enable" button that you only could reach inserting a small needle into the corresponding port. That's when the device would finally react to the "test-enable" packets.

        I guess the Internet of Things made all that much easier. Who'd want to touch hardware anyway.

  5. bjsvec

    2600 idiots

    2600 PBX systems exposed to the public internet? That is some severe idiocy.

    I am actually quite fascinated with how the bad guys managed to discover and manipulate this and equally so that the good guys all worked together to solve it.

  6. Snake Silver badge

    Ah

    As I reported earlier this week, my own systems are getting hit with DDoS port 443 attacks, up to 3 attacks from discrete source IP's per second. This may be the explanation and I await their patching to see if it is mitigated.

  7. martinusher Silver badge

    An old story

    Back in the days when Token Ring was a viable network it came with a comprehensive suite of management protocols that could monitor the network's performance and error states. One of the management elements monitored congestion and signalled when the ring was overloaded. This signalling was done by sending management traffic on the network. So guess what happened when a ring became saturated...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like