Distributed denial of service (DDoS) attackers are using a new technique to knock websites offline by targeting vulnerable ‘middleboxes’, such as firewalls, to amplify junk traffic attacks.
Amplification attacks are nothing new and have helped attackers knock over servers with short busts of traffic as high as 3.47 Tbps. Microsoft last year mitigated attacks on this scale that were the result of competition between online-gaming players.
But there’s a new attack on the horizon. Akamai, a content distribution network firm, says it has seen a recent wave of attacks using “TCP Middlebox Reflection”, referring to transmission control protocol (TCP) – a founding protocol for secured communications on the internet between networked machines. The attacks reached 11 Gbps at 1.5 million packets per second (Mpps), according to Akamai.
SEE: Cybersecurity: Let’s get tactical (ZDNet special report)
The amplification technique was revealed in a research paper last August, which showed that attackers could abuse middleboxes such as firewalls via TCP to magnify denial of service attacks. The paper was from researchers at the University of Maryland and the University of Colorado Boulder.
Most DDoS attacks abuse the User Datagram Protocol (UDP) to amplify packet delivery, generally by sending packets to a server that replies with a larger packet size, which is then forwarded to the attacker’s intended target.
The TCP attack takes advantage of network middleboxes that don’t comply with the TCP standard. The researchers found hundreds of thousands of IP addresses that could amplify attacks by over 100 times utilizing firewalls and content filtering devices.
So, what was a theoretical attack just eight months ago is now a real and active threat.
“Middlebox DDoS amplification is an entirely new type of TCP reflection/amplification attack that is a risk to the internet. This is the first time we’ve observed this technique in the wild,” it says in a blogpost.
Firewalls and similar middlebox devices from the likes of Cisco, Fortinet, SonicWall and Palo Alto Networks, are key pieces of corporate network infrastructure. Some middleboxes however don’t properly validate TCP stream states when enforcing content filtering policies.
“These boxes can be made to respond to out-of-state TCP packets. These responses often include content in their responses meant to “hijack” client browsers in an attempt to prevent users from getting to the blocked content. This broken TCP implementation can in turn be abused to reflect TCP traffic, including data streams, to DDoS victims by attackers,” Akamai notes.
Attackers can abuse these boxes by spoofing the source IP address of the intended victim to direct response traffic from the middleboxes.
In TCP, connections use the synchronize (SYN) control flag to exchange key messages for a three-way handshake. The attackers abuse the TCP implementation in some middelboxes that cause them to unexpectedly respond to SYN packet messages. In some cases, Akamai observed that a single SYN packet with a 33-byte payload produced a 2,156-byte response, amplifying its size by 6,533%.