Security News > 2021 > August > Attackers Can Weaponize Firewalls and Middleboxes for Amplified DDoS Attacks
Weaknesses in the implementation of TCP protocol in middleboxes and censorship infrastructure could be weaponized as a vector to stage reflected denial of service amplification attacks, surpassing many of the existing UDP-based amplification factors to date.
Detailed by a group of academics from the University of Maryland and the University of Colorado Boulder at the USENIX Security Symposium, the volumetric attacks take advantage of TCP-non-compliance in-network middleboxes - such as firewalls, intrusion prevention systems, and deep packet inspection boxes - to amplify network traffic, with hundreds of thousands of IP addresses offering amplification factors exceeding those from DNS, NTP, and Memcached.
Reflected amplification attacks are a type of DoS attacks in which an adversary leverages the connectionless nature of UDP protocol with spoofed requests to misconfigured open servers in order to overwhelm a target server or network with a flood of packets, causing disruption or rendering the server and its surrounding infrastructure inaccessible.
While DoS amplifications are traditionally UDP-based owing to complications arising out TCP's three-way handshake to set up a TCP/IP connection over an IP based network, the researchers found that a large number of network middleboxes do not conform to the TCP standard, and that they can "Respond to spoofed censored requests with large block pages, even if there is no valid TCP connection or handshake," turning the devices into attractive targets for DoS amplification attacks.
What's more, a series of experiments found that these amplified responses come predominantly from middleboxes, including nation-state censorship devices and corporate firewalls, highlighting the role played by such infrastructure in enabling governments to suppress access to the information within their borders, and worse, allow adversaries to weaponize the networking devices to attack anyone.
"Middleboxes introduce an unexpected, as-yet untapped threat that attackers could leverage to launch powerful DoS attacks," the researchers added.
News URL
Related news
- CUPS vulnerabilities could be abused for DDoS attacks (source)
- Cloudflare blocks largest recorded DDoS attack peaking at 3.8Tbps (source)
- Recently patched CUPS flaw can be used to amplify DDoS attacks (source)
- Cloudflare Thwarts Largest-Ever 3.8 Tbps DDoS Attack Targeting Global Sectors (source)
- Largest Recorded DDoS Attack is 3.8 Tbps (source)
- New Gorilla Botnet Launches Over 300,000 DDoS Attacks Across 100 Countries (source)
- U.S. Charges Two Sudanese Brothers for Record 35,000 DDoS Attacks (source)
- Palo Alto Networks firewalls, Expedition under attack (CVE-2024-9463, CVE-2024-9465) (source)
- Palo Alto Networks patches two firewall zero-days used in attacks (source)