A new distributed denial-of-service (DDoS) attack technique is beginning to be implemented by hackers, and it is likely to significantly increase the pressure on network administrators.
This technique relies on intermediate servers (called middleboxes) that filter TCP/IP streams. These devices are mainly used by governments and businesses to monitor and censor Internet streams. The problem is that they do not respect the rules of the TCP protocol, and in particular the famous three way handshake, which establishes the connection. This opens the door to DDoS attacks by reflection and amplification.
This new way of doing things was demonstrated by researchers in August 2021, during the Usenix conference. In their article Weaponizing Middleboxes for TCP Reflected Amplificationthe authors detected hundreds of thousands of intermediate servers vulnerable to this type of attack and generating an amplification level greater than 100. In other words, the returned response is at least 100 times larger than the initial message.
In some cases, the amplification could even exceed the factor of 700,000, or even… reach infinity! Indeed, some servers are so badly configured that they generate routing loops and constantly resend flows.
Also see video:
Six months after the theory was presented, hackers have taken action. In a blog post, the Akamai company reports having detected the first TCP reflection attacks on intermediate servers.
The power observed is still modest, with peaks reaching 11 Gbits/s. Victims include businesses in the banking, travel, gaming, media and hospitality industries.
“Although current attack traffic is relatively low, we expect this type of attack to grow in the future, due to the significant amplification it offers an attacker”says Akamai.
Sources : Akamai, Scientific article