Posted on March 3, 2022 at 6:34 AM

Hackers Are Amplifying DDoS Attacks By Abusing TCP Middleboxes

Threat actors are now abusing middleboxes for reflection and amplification using distributed denial-of-service (DDoS0 attacks. Researchers at the University of Colorado and the University of Maryland theorized the use of misconfigured network and censorship systems for DDoS reflection last year.

They showed that threat actors could abuse the censorship infrastructure for the sake of amplifying a DDoS attack up to ratios of 700,000:1. Additionally, the scholars noted that intrusion prevention systems and firewalls deployed to protect systems could also be weaponized by hackers. 

Amplification attacks have been used on several occasions by threat actors to disrupt and infiltrate serves with short bursts of traffic as high as 3.47 tbps. Last year, Microsoft stopped attacks launched on a similar scale during a competition between online gaming players.

However, the recently-discovered DDoS attack using “TCP Middlebox Reflection.,” is more potent, according to the report.

Akamai, a content distribution firm, noted that the recent wave of attacks reached 11 Gbps at 1.5 million packets per second.

The amplification method used by the threat actors was revealed by the scholars, who showed that the attackers can abuse middleboxes like firewalls through TCP to make DDoS attacks more potent. 

Hundreds Of IP Addresses Are At Risk

Generally, the majority of the DDoS attacks compromise the User Datagram Protocol (UDP) to amplify the data delivery. Attackers usually send packets to a server, which responds with a larger packet size before it is delivered to the main target.

The TCP attack abuses the network middleboxes that do not follow the TCP standards. According to the researchers, there are already hundreds of IP addresses that can be used to amplify DDoS attacks by more than 100 times using content filtering devices and firewalls.

Eight months ago, the attack was only discovered by the researchers to be a possibility. However, there are now facts that it is now a real and active threat.

“This is the first time we’ve observed this technique in the wild,” the researchers stated, adding that the Middlebox DDoS amplification is a completely new type of TCP amplification/reflection attack that is very potent and highly risky to the internet.

Firewalls and other middlebox devices from companies like Palo Alto Networks, SonicWall, Fortinet, and Cisco, are important corporate network infrastructures for these organizations. Unfortunately, some middleboxes do not properly validate the state of the TCP streams when they enforce content filtering policies. This provides openings for the threat actors to explore and use them to their advantage.

Threat Actors Can Redirect Response Traffic From The Middleboxes 

As the researchers pointed out, the boxes can be altered to respond to expired TCP packets. Some of the responses can come from actors who are looking to “hijack” client browsers while trying to prevent users from having access to the blocked accounts. this can lead to the abuse of the TCP implementation. It can be abused to reflect TCP traffic to the DDoS victims, who may not see anything wrong with the data until it is too late.

The threat actors can pounce on these boxes and spoof the source IP address of the targeted victims, directing response traffic from the middleboxes.

The researchers say threat actors have now found ways to abuse the TCP implementation in some middleboxes, leading them to respond unexpectedly to SYN package messages. The researchers also noted that from their research, an SYN packet with a 33-byte payload generated a 2,165-byte response, which means that the attack was amplified by an astonishing 6,533%.

Also, even if there was no established TCP connection that is valid, some middleboxes can give certain signals, responding to requests with very large block pages.

Security Teams Asked To Review Their Defensive Strategies 

The Akamai report also revealed that the threat actors can design TCP packet sequences and deliver them to middleboxes. If the request headers have a domain name for a blocked site, it can reply with the entire HTML pages or HTTP headers. 

Usually, in a DDoS attack, the attacker spoofs the source of the targeted victim, which can cause the middleboxes to direct traffic to the new IP. This gives the threat actors a reflection opportunity, which can lead to a major amplification factor in some cases, the report concludes.

The researchers advised that defenders would be aware that the threat is now real and no longer in theory. As a result, they should review their defensive strategies to prepare for the new vector that may become active in the wild.