Researchers have demonstrated a new DDoS attack vector capable of launching attacks with amplification factors in the realm of 1000x and more. The research is the first of its kind to carry out DDoS reflection amplification attacks via the TCP protocol. 

What is DDoS reflection amplification?

  • First documented in the early 2000s, DDoS attacks were initially launched against websites by overwhelming a victim’s hosting infrastructure with malicious packets.
  • As the years went by, methods to carry out DDoS attacks diversified. One of the most dangerous methods was the DDoS reflection amplification attack.
  • The technique effectively allows attackers to reflect and amplify traffic towards a victim’s infrastructure via an intermediary point.
  • Servers running UDP-based protocols such as SNMP, DNS, NetBIOS, CoAP, and NTP serve as the best vectors for this kind of attack. 

New TCP-based attack

  • Making matters worse, a group of academics stated that network middleboxes such as firewalls, Network Address Translators (NATs), load balancers, and Deep Packet Inspection (DPI) boxes can be weaponized to launch more sophisticated DDoS reflection amplification attacks.
  • They found a flaw in the design of middleboxes that attackers can abuse to send a malformed sequence of TCP packets. 
  • During the research, academics found that adult content, gambling, social media, and file sharing domains can be a potential vector to trigger the new TCP-based DDoS reflection amplification attack.

The concerning part

  • While the attack vector has not yet been used in the wild, the researchers claim that these TCP-based attacks are far larger than the original reflection amplification attacks abusing UDP protocol.
  • Furthermore, the research team has found that 200 million IPv4 addresses corresponding to networking middleboxes are vulnerable to the new form of DDoS attack.

Addressing the threat

Middlebox vendors across several countries that are likely to face these attacks in the immediate future have been notified by researchers. These include vendors in China, Egypt, India, Iran, Oman, Qatar, Russia, Saudi Arabia, South Korea, the UAE, and the U.S. Researchers observed that dealing with this attack vector requires more than firmware patches based on the findings. This includes deploying configuration updates to the networks on which the middleboxes are installed.

Cyware Publisher