TCP Middlebox Reflection

Main article: DDoS attacks

2022: Appearance of TCP Middlebox Reflection Method

In March 2022, it became known about a new method of DDoS attacks, using the advantages of network intermediate boxes to enhance reflection using the protocol of the network data transmission model. The reception was called TCP Middlebox Reflection, attacks using it can have a power of 11 Gb/s and 1.5 million packets per second.

The results obtained by Akamai show that attackers begin to add reflection to their arsenal according to one of the main protocols of data transfer on the Internet (TCP) and, possibly, hone the technology for larger attacks. A reflection-enhanced attack is an attack in which an attacker poses as a victim, sends a request to an open server, and the server sends a response to the victim that is much larger than the request. Several large reflection attacks were carried out on protocols such as DNS, NTP and Memcached. But reflection attacks have historically been limited to UDP, since it does not have a connection and does not require initial configuration between the server and the client.

Hackers began using a method that amplifies DDoS attacks by 65 times

Researchers have shown that attackers can start intermediate devices by replacing the victim's IP address and requesting a filtered web page. The intermediate module then sends its filtered response page to the victim without passing the TCP handshake process. The attack has the same force as its UDP equivalent, and in some cases the intermediate block and the victim can endlessly strengthen the attack.

Akamai has discovered real cases of attacks to enhance TCP reflection in the networks of its clients. In one case, one SYN packet with a payload of 33 bytes caused a response of 2.1 thousand bytes, which corresponds to an attack gain of 65 times. In another case, one malicious request caused the intermediate server and the victim to be stuck in an endless cycle of self-replicating gain. The first attacks that the company observed reached a peak speed of 50 Mbps. However, the attackers gradually honed and improved their methods, and as a result, their other similar attacks peaked at 2.7 Gbit/s and 11 Gbit/s. In their study, experts from Akamai found that there are millions of IP addresses that can be imagined as if they are the sources of these attacks, which significantly complicates the task of operators to stop DDoS attacks by simply blocking IP addresses.

Akamai warns that although attacks with increased reflection of the TCP midbox are still relatively small, attackers begin to pick up the attack technique through the midbox and use it as another tool in their arsenal. DDoS This attack vector expands the tools of attackers and provides another method to help them disrupt the Internet. As of March 2022, banking, tourism, gaming, media and web hosting industries were targeted, but researchers expect the diversity of goals to grow as the popularity of this attack technique grows. Information security experts from Cloudflare advise to shift the economic balance of attacks in favor of victims, it is recommended to protect their Internet services with the help of a constantly turned on automated DDoS protection service with sufficient power.^[1]

Notes