Security News > 2022 > March > Hackers Begin Weaponizing TCP Middlebox Reflection for Amplified DDoS Attacks

Distributed denial-of-service attacks leveraging a new amplification technique called TCP Middlebox Reflection have been detected for the first time in the wild, six months after the novel attack mechanism was presented in theory.

"The attack [] abuses vulnerable firewalls and content filtering systems to reflect and amplify TCP traffic to a victim machine, creating a powerful DDoS attack," Akamai researchers said in a report published Tuesday.

The development comes following an academic study published in August 2021 about a new attack vector that exploits weaknesses in the implementation of TCP protocol in middleboxes and censorship infrastructure to stage reflected denial of service amplification attacks against targets.

While DoS amplification attacks have traditionally abused UDP reflection vectors - owing to the connectionless nature of the protocol - the novel attack technique takes advantage of TCP non-compliance in middleboxes such as deep packet inspection tools to stage TCP-based reflective amplification attacks.

In one of the attacks observed by the cloud security company, a single SYN packet with a 33-byte payload triggered a 2,156-byte response, effectively achieving an amplification factor of 65x. "The main takeaway is that the new vector is starting to see real world abuse in the wild," Seaman said.

"Typically, this is a signal that more widespread abuse of a particular vector is likely to follow as knowledge and popularity grows across the DDoS landscape and more attackers begin to create tooling to leverage the new vector."

News URL

https://thehackernews.com/2022/03/hackers-begin-weaponizing-tcp-middlebox.html