TCP Middlebox is Being Used to Ramp up DDoS Attacks
Table of Contents
- By David Lukic
- Published: Mar 03, 2022
- Last Updated: Mar 18, 2022
Hackers are starting to use TCP Middlebox Reflection as a component of DDoS attacks. DDoS attacks are also known as denial-of-service attacks. TCP MiddleBox Reflection is a specialized amplification technique that digital forensics specialists had not detected until recent months. It is particularly interesting to note that the weaponization of this amplification strategy is being put into practice about half a year after digital security specialists initially presented it as a potential method of attack.
What is the TCP Middlebox Reflection Attack all About?
According to a report issued by researchers at Akamai, the TCP Middlebox Reflection attack takes advantage of susceptible firewalls along with systems used for content filtering to enhance TCP traffic to targeted computers. The end result of this strategy is a significant DDoS attack.
The TCP Middlebox Reflection attack is problematic as it makes it much easier for DDoS attacks to wreak havoc. The party conducting the digital offensive needs merely 2% or even less of the bandwidth that would normally be necessary to launch such an attack. The technique is also used as a component of a DRDoS attack, short for distributed reflective denial-of-service.
DRDoS attacks use UDP servers available to the public along with factors for bandwidth amplification. This approach bombards the targeted system with an onslaught of UDP responses, creating a flood of NTP requests with a fake IP source address that zeroes in on the target. The result is the destination server returning responses to the host at the fake address with amplification that zaps bandwidth, ultimately making it difficult for the affected computer to function as it should.
The overarching aim of the attack is to take advantage of middleboxes used for the enforcement of content filtering and censorship through carefully designed TCP packets that catalyze a massive response. As an example, one of the recent attacks containing a payload of 33 bytes caused a response in excess of 2,150 bytes, creating an amplification response greater than 6,500%.
Was This Type of Attack Anticipated?
Indeed, the weaponization of the TCP Middlebox was predicted in an academic study released to the public about 15 months ago. Rewind to August of 2021, when a paper was published detailing a potential attack vector that takes advantage of flaws within the middleboxes of TCP protocols that exploit vulnerabilities. The prediction also described how the attack vector would exploit infrastructure to implement reflected denial of service attacks on target computers.
Traditional denial of service amplification attacks have taken advantage of UDP reflection vectors due to protocols lacking connections. This irreverent digital attack capitalizes on the non-compliance of TCP middleboxes, including deep packet inspection for reflective amplification attacks.
When Did the Attack Start?
Chad Seaman, the head of the Akamai security intelligence research team, reports the size of the TCP Middlebox Reflection attacks has gradually increased. The initial wave of the attack campaigns using the strategy described above likely began in mid-February. The attack struck websites that provide web hosting, media, travel, banking, and gaming services. The vector has been used in solo attacks and as a component of multi-vector campaigns.
