Security News > 2021 > August > Attackers Can Weaponize Firewalls and Middleboxes for Amplified DDoS Attacks
Weaknesses in the implementation of TCP protocol in middleboxes and censorship infrastructure could be weaponized as a vector to stage reflected denial of service amplification attacks against any target, surpassing many of the existing UDP-based amplification factors to date.
The research, which received a Distinguished Paper Award at the conference, is the first of its kind to describe a technique to carry out DDoS reflected amplification attacks over the TCP protocol by abusing middlebox misconfigurations in the wild, a method previously deemed effective at preventing such spoofing attacks.
Reflected amplification attacks are a type of DoS attacks in which an adversary leverages the connectionless nature of UDP protocol with spoofed requests to misconfigured open servers in order to overwhelm a target server or network with a flood of packets, causing disruption or rendering the server and its surrounding infrastructure inaccessible.
While DoS amplifications are traditionally UDP-based owing to complications arising out TCP's three-way handshake to set up a TCP/IP connection over an IP based network, the researchers found that a large number of network middleboxes do not conform to the TCP standard, and that they can "Respond to spoofed censored requests with large block pages, even if there is no valid TCP connection or handshake," turning the devices into attractive targets for DoS amplification attacks.
What's more, not only do these amplified responses come predominantly from middleboxes, a chunk of those network inspection equipment are nation-state censorship apparatus, highlighting the role played by such infrastructure in enabling governments to suppress access to the information within their borders, and worse, allow adversaries to weaponize the networking devices to attack any victim on the internet.
"Middleboxes introduce an unexpected, as-yet untapped threat that attackers could leverage to launch powerful DoS attacks," the researchers added.
News URL
Related news
- Palo Alto Networks firewalls, Expedition under attack (CVE-2024-9463, CVE-2024-9465) (source)
- Palo Alto Networks patches two firewall zero-days used in attacks (source)
- US sanctions Chinese firm for hacking firewalls in ransomware attacks (source)
- US sanctions Chinese cybersecurity company for firewall compromise, ransomware attacks (source)
- US names Chinese national it alleges was behind 2020 attack on Sophos firewalls (source)
- Europol Dismantles 27 DDoS Attack Platforms Across 15 Nations; Admins Arrested (source)