Attackers in recent weeks have been leveraging a new type of distributed denial-of-service (DDoS) attack technique to target websites of organizations in the banking, travel, gaming, media and web-hosting sectors.
The tactic, which researchers call TCP Middlebox Reflection, was first disclosed as a theoretical concept in August by the University of Maryland and the University of Colorado Boulder. Attackers are now using the technique in a “relatively small” number of real-world DDoS attacks that abuse vulnerable firewalls and content filtering systems to launch high volumes of traffic, with the end goal of knocking out websites.
“The risk here is this type of attack can generate a significant amount of attack traffic overwhelming targeted systems and networks,” said Larry Cashdollar, with Akamai’s security intelligence response team, which discovered the recent attacks. “This flaw is surprisingly easy to exploit and there are quite a few of these vulnerable systems distributed on the internet so building up larger and larger attacks is quite feasible.”
TCP Middlebox Reflection leverages an in-network device called a middlebox, which monitors and filters packet streams in transit between two communicating end-hosts. Researchers have previously found that hundreds of thousands of network middlebox systems don’t take Transmission Control Protocol (TCP) stream states into account when attempting to enforce content filtering policies. These systems have been purposefully configured this way due in part to nation-states enforcing censorship laws or corporate enterprise content filtering policies.
For attackers, this TCP noncompliance in network middleboxes sets the stage for creating "highly effective" TCP-based reflective amplification attacks, where they spoof source IPs of the intended victim, resulting in the middleboxes directing response traffic at the victim.
“These boxes can be made to respond to out-of-state TCP packets,” said researchers. “These responses often include content in their responses meant to ‘hijack’ client browsers in an attempt to prevent users from getting to the blocked content. This broken TCP implementation can in turn be abused to reflect TCP traffic, including data streams, to DDoS victims by attackers.
“Although these attacks are relatively small as of right now, it does show that attackers are starting to pick up on the middlebox attack technique and beginning to leverage it as yet another tool in their DDoS arsenal."
These types of middlebox reflection attacks are new, but they’re not unique, said researchers. The real threat here is that the attack lowers the bar for the amount of bandwidth needed to launch DDoS attacks like SYN flood, which targets the process used to establish TCP traffic connections between clients and servers, involving an initial synchronize (SYN) request of the server. Attackers launch a rapid succession of SYN requests to the server, but do not provide a reply as expected. These half-open connections build up in the server and eventually overwhelm resources.
If you wanted to marry a SYN flood with a volumetric attack, you would need to push a 1:1 ratio of bandwidth out to the victim, usually in the form of padded SYN packets," said researchers with Akamai. "With the arrival of middlebox amplification, this long-held understanding of TCP attacks is no longer true. Now an attacker needs as little as 1/75th (in some cases) the amount of bandwidth from a volumetric standpoint, and because of quirks with some middlebox implementations, attackers get a SYN, ACK, or PSH+ACK flood for free.
The observed attacks also generate a "pretty decent amount of attack traffic," reaching up to 11 Gbps at 1.5 million packets per second (Mpps), said Cashdollar, though nowhere near the highest levels that have been previously observed.
"While it isn’t the largest by far, we are worried the attack size will be ramping up as attackers refine their methods," he said.
Researchers said that while the observed attacks leveraging this technique so far are still small compared with other vectors, they do appear to be growing in popularity and size, and they predicted that attackers will attempt to improve and expand the attack’s capabilities and overall impact. However, because SYN flooding has previously been used by attackers for years, organizations can apply similar mitigation strategies, such as using a combination of anti-spoofing and out-of-state mitigation modules and treating SYN floods with a length greater than 0 bytes as suspicious, they said.
“Although these attacks are relatively small as of right now, it does show that attackers are starting to pick up on the middlebox attack technique and beginning to leverage it as yet another tool in their DDoS arsenal," said Akamai researchers in a Tuesday analysis.