Researchers Describe New DoS Attack MethodMiddleboxes Can Be Weaponized for 'Infinite Amplification'
Scientists from the University of Maryland and the University of Colorado Boulder say they have discovered a new way that attackers could launch reflected denial-of-service amplification attacks over TCP by abusing middleboxes and censorship infrastructure.
A reflective amplification attack allows attackers to magnify the amount of malicious traffic they can generate and obscure the sources of the attack traffic. This type of DoS attack overwhelms the target, causing disruption or outage of systems and services.
The researchers say they discovered the existence of infinite amplification and found that both company and government network infrastructures can be used as weapons in ways that were not known before. But no such attack has been discovered in the wild, the researchers add.
Key Research Findings
Reflective amplification attacks can be carried out via the TCP protocol, previously thought to be unusable for such operations, according to the research paper. TCP-based amplification, it adds, can be more effective than TCP's connectionless alternative, UDP-based amplification.
Most reflective amplification attacks today are UDP-based, the researchers say. They describe the first reflected amplification attack over TCP that goes beyond sending SYN packets and the first HTTP-based reflected amplification attack.
"We are taking advantage of the implementation of the TCP protocol by middleboxes, unlike most prior attacks which take advantage of a protocol specification itself," the researchers say in their report about the technique they discovered. "We found multiple types of middlebox misconfiguration in the wild that can lead to technically infinite amplification for the attacker: by sending a single packet, the attacker can initiate an endless stream of packets to the victim."
The researchers also say they discovered that censorship infrastructure poses a greater threat to the broader internet than previously understood. "Even benign deployments of firewalls and intrusion prevention systems in non-censoring nation-states can be weaponized using the techniques we discovered," they say.
The research team uncovered the amplification attacks using Genetic Evasion, or Geneva, an artificial intelligence tool they created.
Kevin Bock, one of the paper's authors, explains the research in a video.
An important component in attack technique, according to another of the paper's authors, Dave Levin, is the ability to amplify traffic by sending small requests to a server, which responds with a large reply to the victim.
“Some of the largest, most threatening amplification factors in the past have been in the order of 500 times, with one recent amplification attack in the 10,000-times range,” Levin says. They have now discovered amplification attacks that offer "100,000-plus, 1 million-plus, and even technically infinite amplification,” he adds.
The researchers say that these types of newly discovered DoS attack methods could be powered by the large-scale censorship infrastructure of nation-states such as China, India and Kazakhstan.
“What this paper shows is that nation-state censors pose an even greater threat to the internet as a whole. Attackers can use the censorship infrastructure - usually many firewalls deployed at their borders - to launch DoS attacks on anyone on the internet,” Levin says.
Levin tells Information Security Media Group, that the findings show there are now more - and more effective - ways that attackers can launch DoS attacks.
"It has long been known that certain types of servers, especially NTP and DNS, could be used by attackers to launch amplification attacks," he says. "Our work shows that other network devices - middleboxes, such as firewalls and potentially other intrusion detection systems - can be used as amplifiers as well. What this potentially means for companies and governments is that they might find their own network traffic being consumed to attack other victims."
One of the biggest surprise findings for Levin was the existence of infinite amplification and the reasons behind it. "We expected that censoring nation-states would offer the largest amplification, but we found that, in fact, they came from otherwise benign networks. This was surprising, but also provides hope that they might be able to be reasoned with to mitigate the effects of this attack," he says.
While theoretically infinite, for now, the true deliverable capacity available to attackers from this type of attack is unknown, the researchers say, because "to measure the maximum capacity of a given amplifier, we would have to completely saturate the link for each network, which could have real negative consequences on the users of that network."
Defending against the kinds of attacks the researchers describe is difficult, they say.
"Since middleboxes are spoofing the IP address of the traffic they generate, the attacker can set the source IP address of the reflected traffic to be any IP address behind the middlebox," they say.
"For some networks, this is a small number of IP addresses, but if an attacker uses nation-state censorship infrastructure, the attacker can make the attack traffic come from any IP address within that country. This makes it difficult for a victim to drop traffic from offending IP addresses during an attack," they add.
They note that the key vulnerability that enables this type of attack is censoring middleboxes or firewalls, which are computer networking devices that route internet traffic and enforce policies on what traffic is allowed.
To defend against an influx of traffic, organizations can monitor for the kinds of packets that could be used in such attacks, Levin says. A list of packet signatures is included in the paper.
To help mitigate attacks on others’ networks, organizations can test the attack against their own middleboxes or firewalls to see if they amplify, he says. If they do, the organizations can reconfigure their middleboxes to send less traffic, he adds.
"For instance, instead of sending a large block-page, they could send a small HTTP redirect. Also, they can test their networks for routing loops, which was one of the reasons for the 'infinite' amplification we found in our paper," he says.
Protecting the internet from these types of cyberthreats will require a concerted effort from middlebox manufacturers and operators, the researchers conclude. Middlebox and firewall manufacturers should check to see if their devices have bugs that exacerbate the amplification for attacks, Levin says.
Nation-states should update their censorship infrastructure to reduce risk, but because this potentially weakens censorship, such a move is unlikely, the researchers add.
The researchers say they have shared their findings with several country-level Computer Emergency Readiness Teams, or CERTs, DDoS mitigation services and firewall manufacturers.