A few months ago, a group of researchers published a report on misconfigured middleboxes and censorship systems for the reflection of DoS attacks, demonstrating that this infrastructure can be abused to achieve DoS amplification rates of up to 700,000:1. The experts also demonstrated that firewalls and intrusion prevention systems employed by state actors can also be used as weapons or potentiators of DoS attacks.

These conditions depend on the ability of middleboxes to respond to requests with very large blocking pages, even if a valid TCP connection or handshake has not been established.

In their report, Akamai experts explain that a threat actor can create sequences of TCP packets and send them to middleboxes. If the HTTP request headers in these streams contain a domain name for a blocked site, the middlebox responds with HTTP headers or full HTML pages.

As part of a DoS attack, hackers spoof the intended victim’s source IPs, causing middleboxes to direct traffic to that specific IP: “These responses provide attackers with an opportunity for reflection, and in some cases can become an attack scaling factor,” the report states.

While this is a minor increase compared to other attack vectors, TCP Middlebox Reflection abuse-based techniques could become a growing trend, as similar attacks against banking networks, gaming systems, travel, and web hosting have been confirmed.

There are currently hundreds of thousands of middlebox systems potentially vulnerable to these attacks around the world, so threat actors don’t need to access a large number of compromised systems to launch powerful DoS attacks, although the good news is that mitigation options are relatively easy to implement.

According to Akamai, because SYN packets are usually used to initiate the TCP handshake and not for data transmission, any packet that is longer than 0 bytes is suspicious and can be used to trigger defenses.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Cybercriminals are amplifying DoS attacks times 65 by exploiting firewalls, NAT and other middleboxes appeared first on Information Security Newspaper | Hacking News.

One of the biggest victims of this attack variant, known as Ransom DDoS (RDoS), is web security firm Akamai, whose systems were affected by a massive DoS condition that led to the demand for a ransom payment: “In February this year, we had to deal with three of the six largest DoS attacks ever recorded,” the company said.

Akamai also detected two separate incidents that reached volumes never before seen and apparently targeted an online betting company based in Europe, in what researchers described as a highly complex RDoS attack: “Since the start of this campaign, threat actors have demonstrated a large amount of resources, reaching an attack power of more than 800 Gbps in February 2021”, the report states.

Reports indicate that threat actors used a completely new approach to deploy the attack, taking advantage of the Datagram Congestion Protocol (DCCP), also known as Protocol 33: “This approach allows bypassing the defenses established for TCP and UDP traffic flows, which are the resources most commonly used in such attacks,” the experts mention.

On the other hand, the specialized firm Radware points to the detection of a massive RDoS attack campaign that would have begun in late 2020 or during the first week of 2021. The operators of this campaign would have demanded a ransom of up to 10 Bitcoin in each extortion attempt. The main indicator that all attacks would have been perpetrated by the same hacking group is the ransom note received by the affected companies.

On extortion methods, hackers began to cause severe failures in affected systems just a couple of hours after sending the extortion note to victims. Akamai confirmed that its customers went through similar episodes, noting that “the 2021 RDoS campaigns have become more specific and much more persistent.” In specific Akamai described attacks on two organizations that viewed their systems disrupted for nearly a full week. The company mentions that the hackers had done an outstanding reconnaissance work before launching the attack.

Another trend recently detected is the increase in DDoS attacks above 50Gbps.

Attacks of greater magnitude than all recorded during 2019 have been reported in less than three months of 2021, demonstrating the advancement of this malicious practice around the world.

The post DDoS extortion attacks affecting public and private organizations worldwide appeared first on Information Security Newspaper | Hacking News.