Boost attacks are nothing new and have helped attackers bring down servers with short bursts of traffic of up to 3.47 terabytes per second (Tbps).has fended off attacks of this magnitude over the past year, fueled by competition between online gaming providers.
But there is a new attack on the horizon. Akamai reports that it has recently observed a wave of “TCP middlebox reflection” attacks, which refer to the Transmission Control Protocol (TCP) — a fundamental protocol for secure communications between networked machines on the Internet. The attacks reached 11 gigabytes per second (Gbps) at 1.5 million packets per second (Mpps), according to Akamai.
The amplification technique was revealed in August last year in research that showed attackers can abuse middleboxes like firewalls over TCP to amplify denial-of-service attacks.
Most DDoS attacks abuse the User Datagram Protocol (UDP) to enhance packet delivery, generally sending packets to a server that responds with a larger packet count, which is then forwarded to the attacker’s intended target.
The TCP attack takes advantage of non-TCP network middleboxes. The researchers found hundreds of thousands of IP addresses that can amplify attacks by a hundredfold using firewalls and content filters. So what was a theoretical attack eight months ago is now a real and active threat.
“Middlebox DDoS amplification is an entirely new type of TCP reflection/amplification attack that poses a threat to the Internet. This is the first time we’ve observed this technique in the wild,” reads an Akamai blog post.
Firewalls and similar middlebox devices from manufacturers such as Cisco, Fortinet, SonicWall, and Palo Alto Networks are important components of enterprise network infrastructure. However, some middleboxes do not properly validate TCP stream status when enforcing content filtering policies.
“These middleboxes can be tricked into responding to TCP packets that are not in the right state. These responses often contain content that is used to hijack client browsers to prevent users from accessing the blocked content. In turn, this flawed TCP implementation can be abused by attackers to forward TCP traffic, including data streams, to DDoS victims,” explains Akamai.
Attackers can abuse these boxes by spoofing the intended victim’s source IP address to route response traffic from the middleboxes.
With TCP, connections use the Synchronization Flag (SYN) to exchange key messages for a three-way handshake. The attackers abuse the TCP implementation in some middleboxes, causing them to respond unexpectedly to SYN packet messages. In some cases, Akamai observed that a single SYN packet with a 33-byte payload produced a 2,156-byte response, increasing its size by more than 65 times (6,533%).