New Trick by DDoS Attackers to Knock over Websites
Attackers are finding new ways to access the websites and the browsers of different clients, affecting the user experience.
The theoretical threat has become a real possibility, with attackers gaining an advantage through increased traffic to different websites.
Distributed Denial of Service (DDoS) attackers are increasing, with most of them being innovative with their attacks.
The attackers are using a new strategy that involves targeting vulnerable middleboxes like firewalls to increase the reach of their attacks.
Attackers have in the past implemented the use of amplified attacks to infect servers with a short burst of traffic as high as 3.47 Tbps. Microsoft thwarted large-scale attacks which occurred due to an online gaming competition.
However, the attacks are not over, with a leading content distribution firm, Akamai, reporting a wave of attacks.
The firm says the attacks happened through the TCP Middlebox Reflection. The TCP reflection is a transmission control protocol among the founders for secured internet communication between machines in the same network.
Akamai put the speed of the attacks at 11 Gbps at 1.5 million packets per second (Mpps).
A research paper provided study results highlighting how amplification worked so well for the attackers. The paper showed how attackers relied on the technique to target middleboxes such as firewall.
The paper by researchers at the University of Maryland and the University of Colorado Boulder suggests the attackers could magnify how they denied their attacks by abusing middleboxes via TCP.
Attacks by DDoS send small packets to the program’s server, which then replies with a larger packet size. The attackers then send the packet size to their targeted victims.
The small packets’ attacks usually happen over the User Datagram Protocol (UDP).
Networks middleboxes that do not adhere to the TCP standard are the main target of TCP attacks.
The research showed that hundreds of IP addresses amplified the attacks 100 times. The amplification of these attacks occurred through the utilization of middleboxes like firewall and content filtering devices.
The information from the research takes us back to the beginning, where theoretical attacks have become a real possibility.
One blog post talks about how alien the idea of middlebox DDoS amplification is to them. The post highlights the specific issue of amplification and its risk to the internet.
Like firewall, other middleboxes such as Cisco, Fortinet, PaloAlto Networks, and SonicWall form the major parts of a corporate framework.
When they enforce policies that aid filtering content, other middleboxes do not validate TCP stream states properly.
Akamai suggests that users alter the boxes to respond to out-of-state TCP packets. The intended target’s responses aim to take over the client browsers to ensure they cannot access the blocked content.
The broken TCP implementation can reflect TCP traffic to the DDoS victims through abuse by the attackers, which includes data streams.
Through the source IP address spoofing, the attackers can abuse the middleboxes.
The attackers utilize this method to ensure that traffic can be diverted from the middleboxes and carry out their attack.
The connections in TCP utilize the synchronization (SYN) control flag for easier exchange of messages.
The exchange happens over a three-way handshake which the attacker intends to utilize as an attack strategy.
In some middleboxes, the attackers tend to abuse the TCP implementation. The abuse enables the attackers to respond unexpectedly to SYN packet messages.
Akamai observations also included amplification in certain instances.
Some amplification instances involved single SYN packets with a 33-byte payload that produced a 2156-byte response. The production of the response amplified the size of the payload by 6.533%.
Amplification is a new trick that attackers have stumbled upon in their quest to access information from users. The trick has a lasting effect on some users, aided by the speed at which it generates traffic.
Therefore, software developers and computer users have to be on high alert to safeguard their information from malware.