Cybercriminals are amplifying DoS attacks times 65 by exploiting firewalls, NAT and other middleboxes

According to a recent report by Akamai, hacking groups specializing in denial of service (DDoS) attacks have begun abusing the network’s middleboxes for reflection and amplification of their malicious campaigns.

A few months ago, a group of researchers published a report on misconfigured middleboxes and censorship systems for the reflection of DoS attacks, demonstrating that this infrastructure can be abused to achieve DoS amplification rates of up to 700,000:1. The experts also demonstrated that firewalls and intrusion prevention systems employed by state actors can also be used as weapons or potentiators of DoS attacks.

These conditions depend on the ability of middleboxes to respond to requests with very large blocking pages, even if a valid TCP connection or handshake has not been established.

In their report, Akamai experts explain that a threat actor can create sequences of TCP packets and send them to middleboxes. If the HTTP request headers in these streams contain a domain name for a blocked site, the middlebox responds with HTTP headers or full HTML pages.

As part of a DoS attack, hackers spoof the intended victim’s source IPs, causing middleboxes to direct traffic to that specific IP: “These responses provide attackers with an opportunity for reflection, and in some cases can become an attack scaling factor,” the report states.

While this is a minor increase compared to other attack vectors, TCP Middlebox Reflection abuse-based techniques could become a growing trend, as similar attacks against banking networks, gaming systems, travel, and web hosting have been confirmed.

There are currently hundreds of thousands of middlebox systems potentially vulnerable to these attacks around the world, so threat actors don’t need to access a large number of compromised systems to launch powerful DoS attacks, although the good news is that mitigation options are relatively easy to implement.

According to Akamai, because SYN packets are usually used to initiate the TCP handshake and not for data transmission, any packet that is longer than 0 bytes is suspicious and can be used to trigger defenses.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.