Weaknesses in the implementation of TCP protocol in middleboxes and censorship infrastructure could be weaponized as a vector to stage reflected denial of service (DoS) amplification attacks against any target, surpassing many of the existing UDP-based amplification factors to date.
Detailed by a group of academics from the University of Maryland and the University of Colorado Boulder at the USENIX Security Symposium, the volumetric attacks take advantage of TCP-non-compliance in-network middleboxes — such as firewalls, intrusion prevention systems, and deep packet inspection (DPI) boxes — to amplify network traffic, with hundreds of thousands of IP addresses offering amplification factors exceeding those from DNS, NTP, and Memcached.
Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.Join Now
The research, which received a Distinguished Paper Award at the conference, is the first of its kind to describe a technique to carry out DDoS reflected amplification attacks over the TCP protocol by abusing middlebox misconfigurations in the wild, a method previously deemed effective at preventing such spoofing attacks.
Reflected amplification attacks are a type of DoS attacks in which an adversary leverages the connectionless nature of UDP protocol with spoofed requests to misconfigured open servers in order to overwhelm a target server or network with a flood of packets, causing disruption or rendering the server and its surrounding infrastructure inaccessible. This typically occurs when the response from the vulnerable service is larger than the spoofed request, which can then be leveraged to send thousands of these requests, thereby significantly amplifying the size and bandwidth issued to the target.
While DoS amplifications are traditionally UDP-based owing to complications arising out of TCP's three-way handshake to set up a TCP/IP connection over an IP based network (SYN, SYN+ACK, and ACK), the researchers found that a large number of network middleboxes do not conform to the TCP standard, and that they can "respond to spoofed censored requests with large block pages, even if there is no valid TCP connection or handshake," turning the devices into attractive targets for DoS amplification attacks.
"Middleboxes are often not TCP-compliant by design: many middleboxes attempt [to] handle asymmetric routing, where the middlebox can only see one direction of packets in a connection (e.g., client to server)," the researchers said. "But this feature opens them to attack: if middleboxes inject content based only on one side of the connection, an attacker can spoof one side of a TCP three-way handshake, and convince the middlebox there is a valid connection."
Put differently, the mechanism hinges on tricking the middlebox into injecting a response without completing the three-way handshake, subsequently using it to access a forbidden domain such as pornography, gambling, and file sharing sites, causing the middlebox to respond with a block page, which would be much larger than the censored requests, thus resulting in an amplification.
What's more, not only do these amplified responses come predominantly from middleboxes, a chunk of those network inspection equipment are nation-state censorship apparatus, highlighting the role played by such infrastructure in enabling governments to suppress access to the information within their borders, and worse, allow adversaries to weaponize the networking devices to attack any victim on the internet.
"Nation-state censorship infrastructure is located at high-speed ISPs, and is capable of sending and injecting data at incredibly high bandwidths," the researchers said. "This allows an attacker to amplify larger amounts of traffic without worry of amplifier saturation. Second, the enormous pool of source IP addresses that can be used to trigger amplification attacks makes it difficult for victims to simply block a handful of reflectors. Nation-state censors effectively turn every routable IP addresses (sic) within their country into a potential amplifier."
"Middleboxes introduce an unexpected, as-yet untapped threat that attackers could leverage to launch powerful DoS attacks," the researchers added. "Protecting the Internet from these threats will require concerted effort from many middlebox manufacturers and operators."