Last Updated on 04/03/2022 by Nidhi Khandelwal
Six months after the unique attack mechanism was disclosed in principle, distributed denial-of-service (DDoS) attacks exploiting a new amplification technique dubbed TCP Middlebox Reflection were discovered for the first time in the wild.
“The attack […] takes advantage of misconfigured firewalls and content filtering systems to reflect and amplify TCP traffic to a victim PC, resulting in a massive DDoS attack,” Akamai researchers wrote in a paper released.
A distributed reflective denial-of-service (DRDoS) attack uses publicly accessible UDP servers and bandwidth amplification factors (BAFs) to overload a victim’s system with a large number of UDP responses.
The attacker sends a flood of DNS or NTP requests to the targeted asset with a forged source IP address, causing the destination server to return the responses back to the faked address in an amplified manner, exhausting the bandwidth allocated to the target.
While UDP reflection vectors have historically been employed in DoS amplification attacks due to the protocol’s connectionless nature, the novel attack approach exploits TCP non-compliance in middleboxes such as deep packet inspection (DPI) tools to launch TCP-based reflective amplification attacks.
The first wave of “noticeable” attack campaigns using the approach is alleged to have hit Akamai customers in the banking, travel, gaming, media, and web hosting industries around February 17, causing traffic to spike to 11 Gbps and 1.5 million packets per second (Mpps).
“The vector has been seen utilised alone and as part of multi-vector campaigns, with the scale of the attacks slowly growing,” said Chad Seaman, lead of Akamai’s security intelligence research team (SIRT).
The basic idea behind TCP-based reflection is to use the middleboxes that are employed to implement censorship laws and enterprise content filtering rules to elicit a volumetric reaction by delivering specially crafted TCP packets.