Multiple distributed denial of service (DDoS) attack campaigns against Akamai users have been observed in recent weeks, with SYN flooding and huge volumes of traffic: up to 11 Gbps at 1.5 million packets per second (Mpps). We discovered that the attackers are employing a novel technique known as TCP Middlebox Reflection after analysing the TCP packets used in the attack.
In August 2021, academics from the University of Maryland and the University of Colorado Boulder published a paper describing TCP Middlebox Reflection as a new DDoS attack vector. “Weaponizing Middleboxes for TCP Reflected Amplification” demonstrated how reflected TCP attacks can take advantage of devices like firewalls and content filtering systems. Middlebox DDoS amplification is a completely new sort of DDoS amplification.
Chad Seaman, lead of Akamai’s security intelligence research team (SIRT) reported that ,” The vector has been seen utilised alone and as part of multi-vector campaigns, with attack numbers slowly growing,” . The basic idea behind TCP-based reflection is to use the middleboxes that are employed to implement censorship laws and enterprise content filtering rules to elicit a volumetric reaction by delivering specially crafted TCP packets.
A distributed reflective denial-of-service (DRDoS) attack uses publically available UDP servers and bandwidth amplification factors (BAFs) to overload a victim’s system with a large number of UDP responses.
The attacker sends a flood of DNS or NTP requests to the targeted asset with a forged source IP address, causing the destination server to return the responses back to the fake address in an amplified manner, exhausting the bandwidth available to the target.
While UDP reflection vectors have historically been employed in DoS amplification attacks due to the protocol’s connectionless nature, the novel attack approach exploits TCP non-compliance in middleboxes such as deep packet inspection (DPI) tools to launch TCP-based reflective amplification attacks.
The first wave of “noticeable” attack campaigns using the approach is alleged to have hit Akamai customers in the banking, travel, gaming, media, and web hosting industries around February 17, creating traffic to rise to 11 Gbps and 1.5 million packets per second (Mpps).
However, a single SYN packet with a 33-byte payload generated a 2,156-byte response in one of the attacks seen by the cloud security firm, essentially attaining a 65x amplification factor (6,533 percent ).
Finally the researchers concluded that ,”Typically, when knowledge and popularity of a given vector develops across the DDoS landscape and more attackers begin to construct technology to utilise the new vector, more widespread misuse of that vector is likely to follow. Defendants should be aware that we’ve moved from theory to reality,” Seaman said, adding that they should examine their defensive techniques in light of this new vector, which they may experience in the real world shortly.”