Malicious actors are starting to add TCP middlebox reflection to their arsenal

Middleboxes now being used for DDoS attacks in the wild, Akamai finds

In 2021, researchers warned about a new kind of DDoS attack that took advantage of network middleboxes to carry out reflection amplification on the TCP protocol. Last week, Akamai reported the first wave of TCP middlebox reflection DDoS attacks in the wild.

Akamai’s findings show that malicious actors are starting to add TCP middlebox reflection to their arsenal and possibly honing it for larger attacks in the future.

What is TCP reflection amplification?

A reflection amplification attack is one in which the attacker poses as the victim, sends a request to an open server, and the server sends a response to the victim that is much larger than the request.

There have been some very large reflection attacks on protocols such as DNS, NTP, and Memcached. But reflection attacks have historically been limited to UDP because it is connectionless and needs no initial setup between the server and client.

Last year, at the Usenix Security Symposium, a group of researchers at the University of Maryland and the University of Colorado proved that attackers could leverage middleboxes such as firewalls, IDS/IPS systems, or even web censorship infrastructure to stage reflection amplification attacks against TCP protocols such as HTTP and HTTPS.

CATCH UP Data wiper deployed in cyber-attacks targeting Ukrainian systems

The researchers showed that attackers could trigger middleboxes by spoofing the victim’s IP address and requesting a filtered webpage. The middlebox then sends its filtered content response page to the victim without going through the TCP handshake process – a mechanism that can be exploited to stage reflection amplification attacks.

The attack has the same magnitude as its UDP equivalent, and in some cases, the middlebox and victim can amplify the attack infinitely.

Akamai’s findings

Akamai recently found real instances of TCP reflection amplification attacks on its clients’ networks. In one case, a single SYN packet with a 33-byte payload triggered a 2,156-byte response, a 65x amplification factor. Another case showed a single request by the attacker getting the middlebox and victim stuck in an infinite loop of self-perpetuating amplification.

“This is an easily abused service and there are quite a number of vulnerable boxes deployed throughout the internet across all types of networks, from enterprise to censorship systems deployed by governments,” Larry Cashdollar from the Akamai Security Intelligence Response Team told The Daily Swig.

Read more of the latest hacking news from around the world

The first attacks Akamai observed reached a peak of 50 Mbps. But the actors behind the attacks gradually honed and fine-tuned their techniques and their more recent TCP middlebox reflection attacks hit peaks of 2.7 Gbps and 11 Gbps.

“So far banking, travel, gaming, media, and web hosting industries have been targeted but we expect the variety of targets to grow as this attack technique gains in popularity,” Cashdollar said.

Akamai warns that although TCP middlebox reflection amplification attacks are still relatively small, attackers are starting to “pick up on the middlebox attack technique and beginning to leverage it as yet another tool in their DDoS arsenal.”

The decreasing costs of DDoS attacks

Regarding Akamai’s findings, Kevin Bock, the lead author of the TCP middlebox reflection paper, told The Daily Swig, “Unfortunately, we weren’t surprised to see the report – we expected that it was only a matter of time until these attacks were being carried out in the wild, because they are easy and highly effective.

“Perhaps worst of all, the attacks are new; as a result, many operators do not yet have defenses in place, which makes it that much more enticing to attackers.”

In their research, Bock and his colleagues found that there are millions of IP addresses that can be made to look like they were the origins of these attacks, which makes it much harder for operators to stop attacks by simply blocking IP addresses.

RELATED Cloudflare bug bounty program goes public with $3,000 rewards on offer

“Overall, [Akamai’s] report aligns closely with our findings, and the attackers appear to be directly using the packet sequences and triggering domains that we demonstrated in the paper,” Bock said.

In light of Akamai’s findings, Omer Yoachimik, product manager at Cloudflare, warned about DDoS attacks becoming more pervasive.

“The price and effort required to launch DDoS attacks keeps decreasing – making it easier and cheaper for malicious actors to launch attacks or if they lack the technical know-how, hire a DDoS-as-a-Service to target their victim,” he told The Daily Swig.

“This new attack vector expands the attacker’s toolbox and provides yet another method to help them disrupt the Internet. The economics of launching DDoS attacks continues to favor the attacker.”

Protecting against TCP middlebox reflection DDoS

TCP middlebox DDoS attacks are a developing threat, but Akamai’s security team has already found some signs that are indicative of TCP reflection amplification.

“In real-world applications, with very few exceptions, SYN packets are used to initiate the TCP handshake; they’re not used for data transmission,” Cashdollar said. “This means that SYN floods with a length greater than 0 bytes should be suspect, and might be a metric that you can leverage for mitigation.”

Cloudflare’s Yoachimik suggested that “to shift the attack economics balance in favor of the victims, it is recommended to protect your Internet properties using an always-on, automated DDoS protection service with sufficient capacity.”

YOU MIGHT ALSO LIKE Critical Axeda vulnerabilities pose takeover risk to hundreds of IoT devices