DDoS attacks leveraging a new amplification technique called TCP Middlebox Reflection are emerging as a powerful threat to organizations. The attack abuses vulnerable firewalls and content filtering systems to reflect and amplify TCP traffic to victims’ machines.
According to researchers, the new attack method can be triggered through firewalls, Network Address Translators (NATs), load balancers, and Deep Packet Inspection (DPI) boxes by sending a malformed sequence of TCP packets.
The concerning factor
- While the widespread abuse of the attack vector is still low, researchers claim that there are over 18 million IPv4 addresses that can be leveraged to launch TCP-based DDoS Reflection attacks.
- The countries with the highest number of vulnerable IPv4 addresses are China (over 6.3 million), followed by Iran (around 5.2 million) and Indonesia (over 2.7 million).
- It is further possible that there are more such vulnerable IP addresses responding to Middlebox firewalls.
The first noticeable attack
- The first wave of noticeable attack campaigns taking advantage of the method occurred in February.
- Akamai reported that such attacks targeted its customers across the banking, travel, gaming, media, and web hosting industries.
- The traffic peaked at 11Gbps at 1.5 million packets per second (Mpps).
- To abuse the middleboxes, attackers spoofed the source IP addresses to overwhelm the targeted middleboxes with unwanted traffic.
Key takeaway
The main takeaway is that the new attack vector is starting to see real-world abuse. Therefore, defenders need to be aware of such attack tactics and should review their defensive strategies in accordance with this new vector.