CVE-1999-0514 in Hostinfo

Summary

by MITRE

UDP messages to broadcast addresses are allowed, allowing for a Fraggle attack that can cause a denial of service by flooding the target.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/17/2026

The vulnerability described in CVE-1999-0514 represents a fundamental network security flaw related to UDP broadcast message handling that enables a specific type of denial of service attack known as a fraggle attack. This vulnerability exists in systems that permit UDP messages to be sent to broadcast addresses without proper restrictions or filtering mechanisms. The flaw stems from the lack of access control and packet validation when processing broadcast traffic, creating an opening for malicious actors to exploit network protocols designed for legitimate multicast communication. The vulnerability specifically affects systems where UDP broadcast messages are accepted and processed without adequate security controls, making them susceptible to abuse by attackers who can leverage the protocol's broadcast nature to overwhelm target systems.

The technical implementation of this vulnerability allows attackers to send UDP packets to broadcast addresses with specific port numbers that are commonly used for services like chargen or echo protocols. When systems receive these packets, they respond by sending large amounts of data back to the source address, which in many cases is spoofed to appear as the target system. This creates a massive flood of traffic directed at the intended victim, consuming network bandwidth and system resources. The attack exploits the inherent design of UDP broadcast communication where responses are sent to the source address specified in the packet header, enabling the attacker to redirect traffic from the target system to itself or to other systems on the network. This mechanism operates at the network layer and can be executed without requiring authentication or complex exploitation techniques, making it particularly dangerous and easy to implement.

The operational impact of this vulnerability extends beyond simple network disruption to potentially compromise entire network infrastructure and services. Systems affected by this vulnerability can experience complete denial of service, where legitimate network traffic becomes impossible to process due to resource exhaustion from the flood of malicious packets. The attack can be executed from multiple sources simultaneously, amplifying the impact and making it difficult to filter or mitigate using traditional network security measures. Network administrators may find their systems unable to handle normal traffic loads while simultaneously processing massive amounts of broadcast traffic, leading to cascading failures in network services and potential data loss. This vulnerability particularly affects older systems and network configurations that do not implement proper broadcast filtering or rate limiting mechanisms.

The mitigation strategies for this vulnerability involve implementing robust network security controls at multiple levels of the network infrastructure. Network administrators should configure firewalls and routers to block incoming UDP broadcast traffic to prevent unauthorized systems from sending broadcast messages to network segments. Implementing proper access control lists and packet filtering rules can effectively prevent the propagation of broadcast traffic that could be used for fraggle attacks. Additionally, systems should be configured to disable or restrict services that respond to broadcast UDP messages, particularly those that provide responses to chargen or echo protocols. The implementation of rate limiting and traffic shaping mechanisms can help detect and prevent abnormal traffic patterns that indicate an ongoing attack. Organizations should also consider implementing network segmentation to isolate critical systems from broadcast domains where possible, reducing the attack surface and potential impact of such vulnerabilities. This vulnerability aligns with CWE-1107 which addresses insufficient broadcast filtering and relates to ATT&CK technique T1498 which covers network denial of service attacks. Proper network security configuration and regular vulnerability assessments are essential to prevent exploitation of this class of vulnerabilities that have persisted in network infrastructure for decades.

Disclosure

03/01/1998

Moderation

accepted

Entry

VDB-14088

CPE

ready

EPSS

0.01613

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!