Over 4 Million Exposed Devices Used in Two New DoS Attack Campaigns

Security researchers have discovered over 4 million vulnerable Internet hosts that can be weaponized for devastating new denial-of-service attacks, marking one of the largest infrastructure vulnerabilities uncovered in recent years.

The groundbreaking research, conducted by Angelos Beitis and Mathy Vanhoef from DistriNet at KU Leuven, reveals that millions of devices worldwide accept unauthenticated tunneling traffic from any source, creating a massive attack surface for cybercriminals.

Their comprehensive Internet-wide scanning operation identified 3,527,565 vulnerable IPv4 hosts and 735,628 vulnerable IPv6 hosts across 218 countries and territories.

Two Devastating New Attack Methods

The researchers unveiled two particularly dangerous attack techniques that exploit these vulnerable tunneling hosts. The first, called Tunneled-Temporal Lensing (TuTL), concentrates attack traffic in time to overwhelm targets with an amplification factor of at least 16.

This technique allows attackers to send packets across multiple vulnerable host chains, timing their arrival to create devastating traffic spikes.

Even more concerning is the Ping-Pong amplification attack, which loops packets between vulnerable hosts to achieve amplification factors of at least 75. This attack constructs specially crafted tunneling packets that bounce between compromised systems, exponentially increasing the volume of traffic directed at victims.

Beyond traditional DoS attacks, the researchers discovered an Economic Denial of Sustainability (EDoS) attack that specifically targets cloud-hosted services.

By forcing vulnerable hosts to generate massive amounts of outbound traffic, attackers can dramatically increase victims’ cloud computing costs, potentially leading to service disruptions or financial damage.

Massive Global Impact

The vulnerability affects critical tunneling protocols including IP-in-IP (IPIP), Generic Routing Encapsulation (GRE), IPv4-in-IPv6 (4in6), and IPv6-in-IPv4 (6in4).

Perhaps most alarming, nearly 1.86 million of these hosts can be abused to completely spoof source IP addresses, undermining fundamental Internet security assumptions.

The research identified vulnerable systems across 11,027 Autonomous Systems, with China containing approximately 59% of all spoofing-capable hosts.

Major content delivery networks and hosting providers were found to have significant numbers of vulnerable systems.

The researchers assigned four CVE identifiers (CVE-2024-7595, CVE-2024-7596, CVE-2025-23018, and CVE-2025-23019) to track the various protocol vulnerabilities.

They collaborated with CERT/CC, the Shadowserver Foundation, and affected organizations to coordinate disclosure and remediation efforts.

Network administrators are urged to implement proper source address filtering and consider using IPsec to authenticate tunneling traffic.

The researchers recommend deep packet inspection to detect malicious nested tunneling packets and blocking unencrypted tunneling protocols where possible.

This discovery represents a critical wake-up call for Internet infrastructure security, highlighting how legacy protocols without proper authentication can create massive attack surfaces in today’s interconnected world.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now