Over 4 Million Internet-Exposed Devices Exploited in Emerging DoS Attacks

A staggering 4.26 million vulnerable Internet-connected devices that can be exploited to launch devastating denial-of-service (DoS) attacks.

The comprehensive study, published in their latest research paper, reveals that these exposed systems accept unauthenticated tunneling traffic from any source, creating a massive attack surface that threatens global Internet infrastructure.

The vulnerability affects multiple tunneling protocols including IP-in-IP (IPIP), Generic Routing Encapsulation (GRE), IPv4-in-IPv6 (4in6), IPv6-in-IPv4 (6in4), and IPv6-in-IPv6 (IP6IP6) protocols.

Among the discovered hosts, 3.53 million are IPv4 systems and 735,628 are IPv6 systems, with nearly 1.86 million devices capable of complete IP address spoofing.

The security vulnerabilities span across 218 countries and territories, affecting over 11,000 Autonomous Systems (ASs) worldwide.

The U.S. Computer Emergency Readiness Team (CERT) has assigned four CVE identifiers to these vulnerabilities: CVE-2024-7595 for GRE protocols, CVE-2024-7596 for Generic UDP Encapsulation, CVE-2025-23018 for IPv4-in-IPv6 and IPv6-in-IPv6 protocols, and CVE-2025-23019 for IPv6-in-IPv4 protocol.

These vulnerabilities represent a generalization of the previously known CVE-2020-10136 vulnerability, extending the security concerns to multiple tunneling protocols.

DoS Attack Methods Discovered

The implications of these vulnerabilities extend far beyond simple DoS attacks. The exposed systems can be abused as one-way proxies, enabling adversaries to spoof source IP addresses and bypass network security controls

The research team has identified two particularly dangerous new DoS attack methods that exploit these vulnerable tunneling hosts.

The first, dubbed “Ping-Pong amplification attack,” creates a devastating loop between vulnerable hosts by constructing tunneling packets that contain other tunneling packets as inner packets.

This method achieves an amplification factor of at least 75x, meaning attackers can generate 75 times more traffic than they initially send.

The second attack, called “Tunneled-Temporal Lensing” (TuTL), concentrates traffic in time by sending packets across multiple different chains of vulnerable hosts.

This sophisticated technique ensures that traffic arrives simultaneously at the victim, creating concentrated bursts that can overwhelm target systems with an amplification factor of at least 16×1.

Both attacks represent a significant escalation in DoS capabilities, as they can be launched with minimal resources while generating massive traffic volumes.

The researchers also discovered an Economic Denial of Sustainability (EDoS) attack variant that drains the outgoing bandwidth of cloud-hosted vulnerable systems, potentially causing unexpected financial costs for victims through increased bandwidth charges.

Global Network Security

The research team has identified two particularly dangerous new DoS attack methods that exploit these vulnerable tunneling hosts.

This capability undermines years of progress in implementing source address filtering, which was designed to prevent IP spoofing attacks.

Perhaps most concerning is the potential for unauthorized access to private networks. Attackers can craft specially designed tunneling packets that reveal details about victims’ internal network configurations, facilitating subsequent attacks on supposedly protected infrastructure.

The research also released the possibility of “administrative DoS” attacks, where spoofed malicious traffic triggers abuse reports that could lead to service disruptions or account suspensions for innocent victims.

Organizations worldwide are urged to implement immediate countermeasures, including restricting tunneling protocols to accept traffic only from trusted sources, deploying IPsec for authentication and encryption, and implementing proper ingress and egress filtering.

Network administrators should also consider deep packet inspection to detect and block malicious tunneling packets, particularly those with unusual characteristics such as recursively nested headers that indicate potential attack traffic.

The discovery highlights the urgent need for better security practices in implementing tunneling protocols, as these critical Internet infrastructure components continue to be deployed without adequate security considerations.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.