The Looming Threat of TCP-based DDoS Reflection Amplification Attack

What is DDoS reflection amplification?

• First documented in the early 2000s, DDoS attacks were initially launched against websites by overwhelming a victim’s hosting infrastructure with malicious packets.
• As the years went by, methods to carry out DDoS attacks diversified. One of the most dangerous methods was the DDoS reflection amplification attack.
• The technique effectively allows attackers to reflect and amplify traffic towards a victim’s infrastructure via an intermediary point.
• Servers running UDP-based protocols such as SNMP, DNS, NetBIOS, CoAP, and NTP serve as the best vectors for this kind of attack. 

New TCP-based attack

• Making matters worse, a group of academics stated that network middleboxes such as firewalls, Network Address Translators (NATs), load balancers, and Deep Packet Inspection (DPI) boxes can be weaponized to launch more sophisticated DDoS reflection amplification attacks.
• They found a flaw in the design of middleboxes that attackers can abuse to send a malformed sequence of TCP packets. 
• During the research, academics found that adult content, gambling, social media, and file sharing domains can be a potential vector to trigger the new TCP-based DDoS reflection amplification attack.

The concerning part

• While the attack vector has not yet been used in the wild, the researchers claim that these TCP-based attacks are far larger than the original reflection amplification attacks abusing UDP protocol.
• Furthermore, the research team has found that 200 million IPv4 addresses corresponding to networking middleboxes are vulnerable to the new form of DDoS attack.

Addressing the threat