Security News > 2021 > August > Attackers Can Weaponize Firewalls and Middleboxes for Amplified DDoS Attacks
Weaknesses in the implementation of TCP protocol in middleboxes and censorship infrastructure could be weaponized as a vector to stage reflected denial of service amplification attacks, surpassing many of the existing UDP-based amplification factors to date.
Detailed by a group of academics from the University of Maryland and the University of Colorado Boulder at the USENIX Security Symposium, the volumetric attacks take advantage of TCP-non-compliance in-network middleboxes - such as firewalls, intrusion prevention systems, and deep packet inspection boxes - to amplify network traffic, with hundreds of thousands of IP addresses offering amplification factors exceeding those from DNS, NTP, and Memcached.
Reflected amplification attacks are a type of DoS attacks in which an adversary leverages the connectionless nature of UDP protocol with spoofed requests to misconfigured open servers in order to overwhelm a target server or network with a flood of packets, causing disruption or rendering the server and its surrounding infrastructure inaccessible.
While DoS amplifications are traditionally UDP-based owing to complications arising out TCP's three-way handshake to set up a TCP/IP connection over an IP based network, the researchers found that a large number of network middleboxes do not conform to the TCP standard, and that they can "Respond to spoofed censored requests with large block pages, even if there is no valid TCP connection or handshake," turning the devices into attractive targets for DoS amplification attacks.
What's more, a series of experiments found that these amplified responses come predominantly from middleboxes, including nation-state censorship devices and corporate firewalls, highlighting the role played by such infrastructure in enabling governments to suppress access to the information within their borders, and worse, allow adversaries to weaponize the networking devices to attack anyone.
"Middleboxes introduce an unexpected, as-yet untapped threat that attackers could leverage to launch powerful DoS attacks," the researchers added.
News URL
Related news
- Fortinet Warns of New Zero-Day Used in Attacks on Firewalls with Exposed Interfaces (source)
- Cloudflare mitigated a record-breaking 5.6 Tbps DDoS attack (source)
- Mirai Botnet Launches Record 5.6 Tbps DDoS Attack with 13,000+ IoT Devices (source)
- 48,000+ internet-facing Fortinet firewalls still open to attack (source)
- Mirai botnet behind the largest DDoS attack to date (source)
- Week in review: 48k Fortinet firewalls open to attack, attackers “vishing” orgs via Microsoft Teams (source)
- 5,000+ SonicWall firewalls still open to attack (CVE-2024-53704) (source)
- New Aquabot Botnet Exploits CVE-2024-41710 in Mitel Phones for DDoS Attacks (source)
- DDoS attacks reportedly behind DayZ and Arma network outages (source)
- Gcore DDoS Radar Reveals 56% YoY Increase in DDoS Attacks (source)