Security News > 2022 > March > Content filtering devices abused for 65x DDoS amplification
Researchers have identified an alarming new trend in DDoS attacks that target packet inspection and content filtering devices to attain enormous 6,533% amplification levels.
DDoS attacks are used to take down a server or corporate network by overwhelming network devices such as servers and routers with a large number of bogus requests or very high volumes of garbage data.
A middlebox is a network device that performs packet inspection or content filtering by monitoring, filtering, transforming packet streams exchanged between two internet devices.
Middleboxes don't just handle packet headers, but also the contents of packet, so they are employed in deep packet inspection systems.
The idea is to abuse vulnerable firewalls and content filtering policy enforcement systems in middleboxes using specially crafted TCP packet sequences that cause the devices to spew a voluminous response.
Akamai analysts observed an actual SYN packet with a 33-byte payload triggering a 2,156-byte response, achieving an amplification factor of 65x. "The research authors note that there are hundreds of thousands of middlebox systems vulnerable to this TCP reflection abuse around the globe. In their testing they discovered amplification rates that surpass popular and often abused UDP reflection vectors," explains Akamai's report.