DDoS attack re-evolution: TCP Middlebox Reflection can amplify packets by 65-fold

2022 / 03 / 22

Researchers have observed multiple Distributed Denial-of-Service (DDoS) attacks in recent weeks. These attacks include high-traffic attacks such as SYN flood, and have caused high amounts of traffic that peaked at 11 Gbps. After analyzing the packets used in these DDoS attacks, researchers discovered that the hackers were using a new technique called TCP Middlebox Reflection. It is a very new attack method, first disclosed in a paper by researchers at the University of Maryland and the University of Colorado Boulder in August 2021. Hackers can use it to easily amplify the attack packet traffic by 65 times, which will pose a serious threat to network equipments.

Understanding new types of DDoS attack techniques : TCP Middlebox Reflection

In the past, DDoS attacks were mostly combined with amplification attack technology. The technology allows hackers to generate packets that are several times or even dozens of times larger than the original sent packets, thereby attacking with large traffic. At present, the commonly used communication protocols for performing amplification attacks include several UDP-based communication protocols such as Domain Name System (DNS), Simple Network Management Protocol (SNMP), Network Time Protocol (NTP), and Universal Plug and Play Protocol (UPnP). Attackers can use the characteristics of the UDP protocol to spoof the source IP address as the victim host. The attacking host only needs to send a simple query packet to the server, and then the server will send a large amount of data back to the victim host. By using the amplification attack method, attackers can make hundreds of thousands or even millions of hosts send query packets at the same time, thereby launching a large-scale DDoS attack.

In the past, most attackers used UDP-based reflection to attack. Unlike the TCP protocol, which requires a TCP 3-way handshake with the server first, the UDP protocol can directly transfer data without establishing a connection with the server. Moreover, due to the characteristics of TCP 3-way handshake, attackers cannot complete TCP 3-way handshake with the server under the condition of forging the source IP address. Now the emerging TCP Middleboxes Reflection attack technology exploits network devices with packet content inspection functions such as firewalls, intrusion prevention/detection systems, and web content filtering products. Since these devices have better fault tolerance for packet error, the content of the transmitted packet that is not in accordance with the TCP protocol is still allowed to receive and forward to the destination IP address. As a result, Attackers can exploit this feature to launch reflective amplification attacks over TCP connections.

DDoS attack re-evolution: TCP Middlebox Reflection can amplify packets by 65-fold

New type of DDoS attack technology greatly reduces the attack threshold

Chad Seaman, the head of the Akamai security intelligence research team, noted that the size of the TCP Middlebox Reflection attacks has gradually increased. The first wave of the attack campaigns using this technique likely began in mid-February. The attacked web servers included web hosting, media, travel, banking and gaming services. Relatively few attacks using this technique have been observed so far, but the scale of exploitation does continue to grow. The security research team predicts that attackers will further try to improve and expand the attack.

As this new attack technique increases and changes the modus operandi of executing DDoS attacks, enterprises should review their own security defense strategies based on various attack vectors and methods, and respond to challenges with more flexibility and better preparation.

Quickly establish or verify response mechanisms via DDoS simulation exercises

Onward Security provides simulation exercise service through our self-developed DDoS attack platform to simulate DDoS attacks from home and abroad. The platform integrates a number of internationally renowned cloud infrastructure service providers, and can simulate up to 2,000 IP addresses from different sources to perform DDoS simulation exercise of 400G bytes of network traffic or one million application connections. Customers can define the traffic, number of connections, number of IPs and execution time required for the exercise process according to their needs, and can design multiple exercise scenarios to automatically perform at a specified time to verify target systems (such as websites or applications) and DDoS defense mechanisms availability and effectiveness. Through our DDoS simulation exercise service, enterprises can discover the response status of the target system at different stages from the process. After the exercise, customers can refer to the scenarios designed in the exercise process as the basis for their subsequent planning system architecture performance adjustment and the formulation of DDoS mitigation and contingency measures.