Palo Alto warns of firewall vulnerability used in DDoS attack on service provider

Palo Alto Networks is urging customers to patch a line of firewall products after finding that the vulnerability was used in a distributed denial-of-service (DDoS) attack.

On August 19, the company made all patches available for CVE-2022-0028 – which affects the PA-Series, VM-Series and CN-Series of the PAN-OS firewall software. 

Palo Alto Networks said it recently learned that an attempted reflected denial-of-service — a version of a DDoS attack — was identified by a service provider and took advantage of susceptible firewalls from multiple vendors, including Palo Alto Networks.

A reflection amplification attack

Security firm NetScout described a reflection amplification attack as a technique used by hackers to “both magnify the amount of malicious traffic they can generate and obscure the sources of the attack traffic. 

This type of DDoS attack overwhelms the target, causing disruption or outage of systems and services, according to NetScout.

The company added that reflection amplification attacks are dangerous because the servers used for these types of attacks “can be ordinary servers with no clear sign of having been compromised, making it difficult to prevent them.”

They have become a preferred tactic among cybercriminals in recent years because they require minimal effort to conduct and create enormous volumetric attacks by using a modest source of bots or a single robust server, NetScout explained. 

First documented in the early 2000s, DDoS attacks were initially carried out by hijacking home computers to launch requests to websites, all at the same time, in order to overwhelm a victim’s hosting infrastructure.

As the years went by, methods to carry out DDoS attacks also diversified. One of the most dangerous of these methods was the so-called “DDoS reflective amplification attack.” This happens when an attacker sends network packets to a third-party server on the internet, the server processes and creates a much larger response packet, which it then sends to a victim instead of the attacker (thanks to a technique known as IP spoofing).

The technique effectively allows attackers to reflect/bounce and amplify traffic towards a victim via an intermediary point.

Over the last two years, academics from the University of Maryland and the University of Colorado Boulder said they discovered a way to abuse firewalls and other network middleboxes to launch giant DDoS attacks against any target on the internet.

In its advisory, Palo Alto Networks described a situation where an attacker could use CVE-2022-0028, which has a CVSS score of 8.6, to “conduct reflected and amplified TCP denial-of-service (RDoS) attacks” that “would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target.”

The Cybersecurity and Infrastructure Security Agency added CVE-2022-0028 to its list of known exploited vulnerabilities on Monday and ordered federal civilian agencies to patch the bug before September 12. 

The agency only adds bugs that are under active exploitation. 

Record-breaking attacks

Bud Broomhead, CEO at IoT security firm Viakoo, said the ability to use a Palo Alto Networks firewall to perform reflected and amplified attacks is “part of an overall trend to use amplification to create massive DDoS attacks.”

He went on to reference Google’s recent announcement that one of its customers was targeted with the largest DDoS attack ever recorded, peaking at 46 million requests per second.

To put it in perspective, they compared the attack to “receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds.”

Viakoo said that attack and others will “put more focus on systems that can be exploited to enable that level of amplification.”

Palo Alto noted in its release that the resulting attack may “help obfuscate the identity of the attacker and implicate the firewall as the source of the attack.”

The company provided a range of workarounds and mitigation solutions alongside patches. The issue was discovered by cybersecurity company Excellium-Services S.A. based in Luxembourg and Belgium.

In June, Cloudflare announced it had stopped the largest HTTPS distributed denial of service (DDoS) attack ever recorded at 26 million requests per second, surpassing a then-record attack of 17.2 million requests, which at the time was almost three times larger than any previous volumetric DDoS attack ever reported in the public domain.

Both Cloudflare and Google have expressed concerns about the evolution of DDoS attacks in recent years as they grow in frequency and exponentially in size.

“Attack sizes will continue to grow and tactics will continue to evolve,” researchers from Google said last Friday. 

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.