Weaknesses in the implementation of the TCP protocol in middleware and censorship infrastructure can be weaponized as a vector to conduct reflected denial-of-service (DoS) amplification attacks against any target, exceeding many existing UDP-based amplification factors.
A team of academics from the University of Maryland and the University of Colorado Boulder detailed volumetric attacks that exploit TCP-noncompliant network middleware — such as firewalls, intrusion prevention systems and deep packet inspection (DPI) boxes — at the USENIX Security Symposium — Amplify network traffic, hundreds of thousands of IP addresses provide an amplification factor that exceeds DNS, NTP and Memcached.
The research, which won the Outstanding Paper Award at the conference, is the first of its kind to describe a technique for conducting DDoS reflection amplification attacks on the TCP protocol by abusing middlebox misconfiguration, a method that has previously been considered effective in preventing such attacks from being deceived. attack.
A reflection amplification attack is a DoS attack in which an attacker exploits the connectionless nature of the UDP protocol to issue spoofed requests to a misconfigured open server in order to flood the target server or network with a large number of packets, causing an outage or rendering server and its surrounding infrastructure. Inaccessible. This typically occurs when the response from the vulnerable service is larger than the spoofed request, which can then be exploited to send thousands of these requests, significantly amplifying the size and bandwidth sent to the target.
While DoS amplification has traditionally been based on UDP due to the complexities created by TCP's three-way handshake in establishing TCP/IP connections over IP-based networks (SYN, SYN+ACK, and ACK), researchers have found that a large number of Network middleware is not TCP compliant, and they can "respond to spoofed review requests with large chunks of pages, even without a valid TCP connection or handshake," turning these devices into attractive targets for DoS amplification attacks.
"Middleboxes tend not to be TCP-compliant designs: many try to handle asymmetric routing, where the middleware only sees packets in one direction of the connection (e.g., client to server)," the researchers said . "But this feature makes them vulnerable to attacks: if the middleware injects content based on only one side of the connection, an attacker can spoof one side of the TCP three-way handshake and convince the middleware that a valid connection exists."
In other words, the mechanism relies on tricking the middlebox into injecting a response without completing the three-way handshake and subsequently using it to access prohibited domains such as porn, gambling, and file sharing sites, causing the middlebox to block the page from responding, which will Much larger than the review request, resulting in amplification.
What's more, these amplified responses not only come primarily from middleware, the majority of network censorship devices are nation-state censorship agencies, highlighting the role such infrastructure plays in enabling governments to suppress access to information within their borders, Or even worse, allowing adversaries to weaponize network devices to attack any victim on the internet.
"The national censorship infrastructure is located at high-speed ISPs and is capable of sending and injecting data at incredibly high bandwidths," the researchers said. "This allows attackers to amplify large amounts of traffic without worrying about amplifier saturation. Second, it can be used to trigger amplification The attack's large pool of source IP addresses makes it difficult for victims to simply block a handful of reflectors. Censors effectively turn every routable IP address (sic) in their country into a potential amplifier."
"The middlebox introduces an unexpected, untapped threat that attackers can exploit to launch powerful DoS attacks," the researchers added. "Securing the Internet from these threats requires the combined efforts of many middleware manufacturers and operators."
Original article by Chief Security Officer, if reproduced, please credit https://cncso.com/en/ddos-attacks-amplified-through-firewall-middleware-html