EletiofeHackers Find a New Way to Deliver Devastating DDoS...

Hackers Find a New Way to Deliver Devastating DDoS Attacks

-

- Advertisment -

Kevin Bock, the lead researcher behind last August’s paper, said DDoS attackers had plenty of incentives to reproduce the attacks his team had theorized.

“Unfortunately, we weren’t surprised,” he told me, upon learning of the active attacks. “We expected that it was only a matter of time until these attacks were being carried out in the wild because they are easy and highly effective. Perhaps worst of all, the attacks are new; as a result, many operators do not yet have defenses in place, which makes it that much more enticing to attackers.”

One of the middleboxes received a SYN packet with a 33-byte payload and responded with a 2,156-byte reply. That translated to a factor of 65x, but the amplification has the potential to be much greater with more work.

Akamai researchers wrote:

Volumetric TCP attacks previously required an attacker to have access to a lot of machines and a lot of bandwidth, normally an arena reserved for very beefy machines with high-bandwidth connections and source spoofing capabilities or botnets. This is because until now there wasn’t a significant amplification attack for the TCP protocol; a small amount of amplification was possible, but it was considered almost negligible, or at the very least subpar and ineffectual when compared with the UDP alternatives.

If you wanted to marry a SYN flood with a volumetric attack, you would need to push a 1:1 ratio of bandwidth out to the victim, usually in the form of padded SYN packets. With the arrival of middlebox amplification, this long-held understanding of TCP attacks is no longer true. Now an attacker needs as little as 1/75th (in some cases) the amount of bandwidth from a volumetric standpoint, and because of quirks with some middlebox implementations, attackers get a SYN, ACK, or PSH+ACK flood for free.

Infinite Packet Storms and Complete Resource Exhaustion

Another middlebox Akamai encountered, for unknown reasons responded to SYN packets with multiple SYN packets of its own. Servers that follow TCP specifications should never respond this way. The SYN packet responses were loaded with data. Even worse, the middlebox completely disregarded RST packets sent from the victim, which are supposed to terminate a connection.

Also concerning is the finding from Bock’s research team that some middleboxes will respond when they receive any additional packet, including the RST.

“This creates an infinite packet storm,” the academic researchers wrote in August. “The attacker elicits a single block page to a victim, which causes a RST from the victim, which causes a new block page from the amplifier, which causes a RST from the victim, etc. The victim-sustained case is especially dangerous for two reasons. First, the victim’s default behavior sustains the attack on itself. Second, this attack causes the victim to flood its own uplink while flooding the downlink.”

Akamai also provided a demonstration showing the damage that occurs when an attacker targets a specific port running a TCP-based service.

“These SYN packets directed at a TCP application/service will cause that application to attempt to respond with multiple SYN+ACK packets and hold the TCP sessions open, awaiting the remainder of the three-way handshake,” Akamai explained. “As each TCP session is held in this half-open state, the system will consume sockets that will in turn consume resources, potentially to the point of complete resource exhaustion.”

Unfortunately, there’s nothing typical end users can do to block the DDoS amplification being exploited. Instead, middlebox operators must reconfigure their machines, which is unlikely in many cases. Barring that, network defenders must change the way they filter and respond to packets. Both Akamai and the academic researchers provide much more detailed instructions.

This story originally appeared on Ars Technica.


More Great WIRED Stories

Latest news

I’ll Love You Till The End Of Time – Adesua Etomi Pens Romantic Birthday Message To Husband, Banky W On His Birthday

Nigerian actress, Adesua Etomi has taken to Instagram to pen a heartfelt note to her husband, Banky W, as...

Tinubu Establishes Presidential Economic Coordination Council

President Bola Ahmed Tinubu has established the Presidential Economic Coordination Council (PECC).He also created the Economic Management Team Emergency...

Sophia Smith becomes NWSL’s highest-paid player with new Thorns extension

Sophia Smith became the latest NWSL star to ink a new deal Wednesday, becoming the league's highest-paid player in...

USWNT’s Midge Purce tears ACL, will miss Olympics and Gotham FC’s NWSL season

Midge Purce, a USWNT player and the reigning NWSL Championship Game MVP, will miss the rest of Gotham FC's...
- Advertisement -

Lionel Messi on retirement talk: ‘If I feel good, I will always try to continue competing’

Lionel Messi will turn 37 in June, but as long as his body feels good, he plans to play...

The Baltimore Bridge Collapse Is About to Get Even Messier

In the early hours of Tuesday morning, the global supply chain and US coastal infrastructure collided in the worst...

Must read

Tinubu Establishes Presidential Economic Coordination Council

President Bola Ahmed Tinubu has established the Presidential Economic...
- Advertisement -

You might also likeRELATED
Recommended to you