Amplify and Annihilate: Discovering and Exploiting Vulnerable Tunnelling Hosts
No ratings
Presented at Black Hat USA 2025 by
This presentation shows how over 4 million Internet hosts can be exploited as one-way proxies and abused to launch powerful DDoS attacks. We focus on hosts using unauthenticated tunnelling protocols, such as IPIP, GRE, 6in4, and 4in6, and demonstrate how attackers can manipulate these hosts into forwarding arbitrary traffic, enabling stealthy spoofing and denial-of-service attacks.We scanned the whole IPv4 Internet and a subset of the IPv6 space, and identified approximately 4.3 million hosts that can be misused in this manner. These hosts are susceptible to becoming one-way proxies, allowing attackers to abuse them for DoS and spoofing attacks.Our research also uncovered a critical vulnerability in certain ONT devices: they crashed when receiving specially-crafted tunneled traffic. This resulted in major Internet outages for customers of specific ISPs, and often even required physical access to perform a manual reboot to restore connectivity.In addition, we introduce two novel amplification DoS techniques. The first is called the Ping-Pong attack and allows an attacker to loop encapsulated traffic between two or more vulnerable hosts, generating significant amplification. The second is called the Tunneled Temporal Lensing (TuTL) attack, and it accumulates packets over time, forcing a victim to receive the collected traffic in a short burst, which can cause a DoS due to the concentrated flood of traffic.