A few months ago, a group of researchers published a report on misconfigured middleboxes and censorship systems for the reflection of DoS attacks, demonstrating that this infrastructure can be abused to achieve DoS amplification rates of up to 700,000:1. The experts also demonstrated that firewalls and intrusion prevention systems employed by state actors can also be used as weapons or potentiators of DoS attacks.

These conditions depend on the ability of middleboxes to respond to requests with very large blocking pages, even if a valid TCP connection or handshake has not been established.

In their report, Akamai experts explain that a threat actor can create sequences of TCP packets and send them to middleboxes. If the HTTP request headers in these streams contain a domain name for a blocked site, the middlebox responds with HTTP headers or full HTML pages.

As part of a DoS attack, hackers spoof the intended victim’s source IPs, causing middleboxes to direct traffic to that specific IP: “These responses provide attackers with an opportunity for reflection, and in some cases can become an attack scaling factor,” the report states.

While this is a minor increase compared to other attack vectors, TCP Middlebox Reflection abuse-based techniques could become a growing trend, as similar attacks against banking networks, gaming systems, travel, and web hosting have been confirmed.

There are currently hundreds of thousands of middlebox systems potentially vulnerable to these attacks around the world, so threat actors don’t need to access a large number of compromised systems to launch powerful DoS attacks, although the good news is that mitigation options are relatively easy to implement.

According to Akamai, because SYN packets are usually used to initiate the TCP handshake and not for data transmission, any packet that is longer than 0 bytes is suspicious and can be used to trigger defenses.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Cybercriminals are amplifying DoS attacks times 65 by exploiting firewalls, NAT and other middleboxes appeared first on Information Security Newspaper | Hacking News.

Instead of trying to replicate the entire three-way handshake on a TCP connection, threat actors trying to deploy a denial of service (DDoS) attack could send a combination of non-standard packet streams to the middlebox, making it believe that the TCP handshake has ended and would allow the connection to be initiated.

This would not be a problem under normal circumstances. However, if threat actors try to access a website banned by a system administrator (adult content, entertainment and gambling websites, among others), the middlebox would issue a blocking page that would normally be much larger than the initial package, generating a DDoS amplification effect.

After multiple tests, researchers from the University of Colorado and the University of Maryland point out that a large vector for the deployment of TCP denial of service (TCP DDoS) attacks are websites typically blocked by nation state censorship systems or by business policies.

While the research team tested several websites banned by virtually any web administrator, it was found that five specific domains tended to get answers from most middleboxes on the Internet and would be a reliable factor for these attacks:

• www.youporn.com (pornography website)
• www.roxypalace.com (betting and gambling)
• plus.google.com (social media website)
• www.bittorrent.com (file sharing platform)
• www.survive.org.uk (sex education)

While not all middleboxes respond in the same way to these tests, the researchers concluded that these five websites can power a DDoS attack. University of Maryland researcher Kevin Bock mentions that amplification factors varied according to middlebox type, vendors, system configurations, and network configurations.

The researcher notes that a scan of the entire IPv4 Internet address space was performed at 35 different times to discover and index middleboxes that would amplify TCP DDoS attacks. In total, 200 million IPv4 addresses corresponding to network middleboxes were found that could be used for an attack. Typically, these systems operate with large traffic loads and are sometimes misconfigured with traffic loops that send the same malformed TCP packet multiple times through the same middlebox, effectively allowing the deployment of loopback DDoS attacks.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Newly discovered TCP reflective amplified DDoS attack can shut down any website appeared first on Information Security Newspaper | Hacking News.