Akamai researchers began observing multiple DDoS attack campaigns against Akamai customers that had included SYN flooding and high volumes of traffic: up to 11 Gbps at 1.5 million packets per second (Mpps). Upon examining the TCP packets used in the attack, we realized that they are leveraging a new technique known as TCP Middlebox Reflection. It is an entirely new type of TCP reflection/amplification attack that is a risk to the internet.
New DDoS attack vector
A middlebox is an in-network device that sits on the path between two communicating end-hosts and can monitor, filter, or transform packet streams in-flight. Unlike traditional network devices like routers and switches, middleboxes operate not only on packets’ headers but also on their payloads using Deep Packet Inspection (DPI).
By taking advantage of TCP noncompliance in network middleboxes, the team was able to create highly effective TCP-based reflective amplification attacks. Some of these middlebox systems don’t take TCP stream states into account when attempting to enforce content filtering policies. These boxes can be made to respond to out-of-state TCP packets. These responses often include content in their responses meant to “hijack” client browsers to prevent users from getting to the blocked content. This broken TCP implementation can in turn be abused to reflect TCP traffic, including data streams, to DDoS victims by attackers.
Hundreds of thousands of middlebox systems vulnerable to this TCP reflection abuse around the globe. Some of the vulnerable systems found in the wild offer an amplification rate greater than some of the hardest-hitting UDP vectors, such as NTP, RIPv1, and even the now infamous memcached.
Abusing TCP non-compliance in middleboxes
Attackers can craft various TCP packet sequences that contain HTTP request headers; in these HTTP headers, a domain name for a blocked site is used as the host header. When these packets are received by the middlebox that is configured to not allow access to the site, the middlebox responds, typically with HTTP headers and in some cases entire HTML pages. These responses provide attackers with a reflection opportunity, and in some cases a significant amplification factor.
To abuse these boxes for distributed reflective denial of service (DRDoS) attacks, an attacker spoofs source IPs of the intended victim, resulting in response traffic directed at the victim from the middleboxes. Middlebox systems that have been configured in this way can be found on networks all around the internet as they’re commonly used by nation-states to enforce censorship laws or by corporate enterprise content filtering policies.
Volumetric TCP attacks previously required an attacker to have access to a lot of machines and a lot of bandwidth, normally an arena reserved for very beefy machines with high-bandwidth connections and source spoofing capabilities or botnets. This is because until now there wasn’t a significant amplification attack for the TCP protocol; a small amount of amplification was possible, but it was considered almost negligible, or at the very least subpar and ineffectual when compared with the UDP alternatives.
If you wanted to marry a SYN flood with a volumetric attack, you would need to push a 1:1 ratio of bandwidth out to the victim, usually in the form of padded SYN packets. With the arrival of middlebox amplification, an attacker needs as little as 1/75th the amount of bandwidth from a volumetric standpoint, and because of quirks with some middlebox implementations, attackers get a SYN, ACK, or PSH+ACK flood for free.
Another concerning finding by the original authors is the existence of boxes that do handle RST packets. These boxes, when receiving a RST packet, react by resending the data packet they’d already transmitted that triggered the RST in the first place; this will in turn result in another RST, and another data packet. This means that there are cases in which a box can and will end up in what amounts to an “infinite loop” of self-perpetuation amplification.
Rising Attack Vector
The Akamai Security Operations Command Center has observed multiple middlebox attack campaigns targeting banking, travel, gaming, media, and web-hosting industries. The observed attacks leveraging this technique thus far are still small compared with other vectors, but they do appear to be growing in popularity and size.
The earliest attacks in the series reached a peak of 50 Mbps. The actors behind these recent campaigns appear to be honing the capability and/or fine-tuning their set of favored reflectors. More recent attacks targeting the same sets of victims using the same middlebox vector hit peaks 2.7 Gbps and 11 Gbps, with the 11 Gbps attack hitting 1.5 Mpps.
Middlebox reflection attacks are new, but they’re not incredibly unique. Mitigating a middlebox attack in that regard will employ the same techniques and tactics.
SYN challenges may also be effective at preventing middlebox resource exhaustion effects. The middlebox will not properly handle the resulting challenge packet, so the SYN packets won’t make it past mitigation gear, and since the handshake will never complete, data flows should also be dropped before making it to servers and applications.
The middlebox attack remained theoretical for a lot longer than we initially anticipated, taking months before we saw it really leveraged in the wild. Now that TCP Middlebox Reflection has been tested and verified against real-world networks, it’s likely that attacker adoption will continue. It’s also likely that attackers will attempt to improve and expand the attack’s capabilities and overall impact.