Cybersecurity experts from Akamai, Cloudflare, Mitel, Netscour, Lumen Black Lotus Labs, The ShadowServer foundation, Telus, and Team Cymru have revealed a DDoS (denial of service attack) with an intensity ratio crossing 4 billion to one and it can be deployed using a single pocket. Termed as CVE-2022-26143, the vulnerability exists around 2600 incorrect provisional Mitel MiCollab and MiVoice Business Express systems that work as a PBX to internet gateways, going through a test mode that shouldn't be exposed on the internet.
"The exposed system test facility can be abused to launch a sustained DDoS attack of up to 14 hours in duration by means of a single spoofed attack initiation packet, resulting in a record-setting packet amplification ratio of 4,294,967,296:1," ShadowServer blog post writes. You should also note that single packet attention initiation has the capability of precluding network operator traceback of the spoofed attack initiator traffic. It helps to hide the origin of the attack infrastructure, which makes it less possible for the origin of the attack to be identified compared to other UDP reflection/amplification DDoS attack vectors.
A driver in the Mitel system includes a command platform command that executes a stress test of status update packets, thereby theoretically producing 4,294,967,294 packets within 14 hours at a maximum possible prize of 1,184 bytes. ShadowServer further explains "this would yield a sustained flood of just under 393Mbps of attack traffic from a single reflector/amplifier, all resulting from a single spoofed attack initiator packet of only 1,119 bytes in length." The results mean around 2,200,288,816:1 unimaginable amplification ratio.
It indicates a multiplier of 220 Billion percent, caused by a single packet. Fortunately, the Mitel system only processes one command at a time, this means that if a system is compromised by DDoS attacks, the users may think about why the outbound connection is getting disrupted and not available. According to ZDNet, "the first attacks using the exploit began on February 18, these were reflected mainly onto ports 80 and 443, and targeted ISPs, financial institutions, and logistics companies."