Hackers Exploit TCP Middlebox Reflection for Amplified DDoS Attacks

A new amplification technique in distributed denial-of-service (DDoS) attacks, termed TCP Middlebox Reflection, has been identified for the first time in real-world scenarios, a development following its theoretical introduction six months prior.

According to a report from Akamai, the TCP Middlebox Reflection attack exploits vulnerabilities in firewalls and content filtering systems to reflect and amplify TCP traffic towards a target, generating a significantly potent DDoS assault. The researchers noted, “This new attack vector significantly lowers the threshold for executing a DDoS attack, requiring as little as 1/75th of the bandwidth typically needed for volumetric assaults.”

The Distributed Reflective Denial-of-Service (DRDoS) attack employs publicly accessible User Datagram Protocol (UDP) servers along with bandwidth amplification factors (BAFs) to inundate a victim’s system with an excessive volume of UDP replies. In these attacks, adversaries craft DNS or NTP requests with a spoofed source IP, directing the target to send amplified responses to the unauthorized address, ultimately overwhelming the intended receiver.

This recent escalation follows an academic study from August 2021 that illuminated a new attack vector exploiting TCP protocol weaknesses present in middleboxes and censorship systems for carrying out reflected DoS amplification assaults against targets.

Historically, DoS amplification attacks have favored UDP reflection vectors due to the protocol’s connectionless nature. However, the innovative TCP Middlebox Reflection approach capitalizes on TCP non-compliance observed in middleboxes deployed for deep packet inspection (DPI), enabling TCP-based reflective amplification attacks.

The inaugural wave of notable attacks utilizing this method commenced around February 17, impacting various sectors, including banking, travel, gaming, media, and web hosting, with traffic peaking at 11 Gbps and hitting 1.5 million packets per second (Mpps). Chad Seaman, leader of the security intelligence research team (SIRT) at Akamai, noted, “This vector has appeared both independently and as part of multi-vector campaigns, with attack sizes gradually increasing.”

The fundamental principle behind TCP-based reflection is to exploit the middleboxes that enforce censorship and enterprise content filtering by deploying specially crafted TCP packets to generate a large-scale response. In a specific incident reported by Akamai, a single SYN packet containing a 33-byte payload prompted a massive 2,156-byte response, resulting in an amplification factor of 65 times (6,533%).

Seaman emphasized, “The key takeaway is the transition from theoretical concepts to tangible abuse in real-world scenarios. This signals a potential escalation in the widespread misuse of this vector, as both understanding and application grow within the DDoS landscape, prompting attackers to develop tools around these new methodologies.” He further advised that defenders rethink their strategies in light of this emerging threat, as it could soon manifest in their environments.