New amplification techniques have been seen in the wild which would allow for more powerful DDoS attacks.

The most extreme of these, TP240PhoneHome (CVE-2022-26143), comes from approximately 2,600 PBX-to-internet gateways with an abusable system test facility exposed to the public internet. This would allow an attacker to flood a victim with a large amount of network traffic by sending a single small request. This amplification effect allows for much larger bandwidth exhaustion attacks than would be possible otherwise.

Other techniques abuse content-filtering equipment owned by network providers. One can generate censorship notifications thousands of times larger than an initial request. Another one exhausts resources by tricking the machines into holding open TCP connections – the number of which is limited.


A DDoS attack can exhaust the bandwidth available to a service and prevent legitimate traffic from getting through.

Vulnerability Detection

The Mitel service runs on UDP/10074 and is not designed to be exposed to the internet.

Affected Products

Mitel MiCollab and MiVoice Business Express collaboration systems

Containment, Mitigations & Remediations

Standard DDoS-defense techniques are effective.

Indicators of Compromise

There are no indicators of compromise associated with a denial-of-service attack. Indicators of an attack can manifest at any of the levels of the OSI model, but are most commonly:
– Excessive network traffic
– Excessive memory or processor utilisation
– System resource exhaustion

Threat Landscape

DDoS attacks have been used heavily in Ukraine recently.

Mitre Methodologies

T1498 – Network Denial of Service: Reflection Amplification

Further Information

CVE-2022-26143: TP240PhoneHome Reflection/Amplification DDoS Attack Vector

CVE-2022-26143: A Zero-Day vulnerability for launching UDP amplification DDoS attacks

TCP Middlebox Reflection: Coming to a DDoS Near You