Tuesday, July 16, 2024

Hackers Weaponize Firewalls & Middleboxes for Reflected DDoS Attacks

Cybersecurity specialists from the University of Maryland and the University of Colorado Boulder have recently published the verdict of a flaw that they have found in the form of some middlebox models. 

They claimed that it is a term relating to computer network devices that modify, examine, filter, and manage traffic with a motive other than packet forwarding.

Not only this the experts have also noted that some of the implementations of these similar devices comprise the use of firewalls, Network Address Translators (NAT), and Deep Packet Inspection (DPI) systems.

However, in this attack, the threat actors attempting to expand a denial of service (DDoS), as this attack could send a sequence of non-standard packet streams to the middlebox, and generally it makes the users believe that the TCP handshake has finished and would enable the connection to commence.

Weaponizing Middleboxes

Nowadays, every DoS amplifications are UDP-based, and the reason for that is because TCP needs a 3-way handshake that generally hinders spoofing attacks. In general, every TCP connection originates with the client just by transmitting an SYN packet.

After investigating the whole matter, the 3-way handshake generally defends the TCP applications from being amplifiers, the reason is that because if an attacker sends an SYN packet with a root source IP address, then the SYN+ACK will generally go to the victim, and the threat actors never acquire the critical information that is present in the SYN+ACK.

TCP-based Reflective Amplified DDoS Attack Vector discovered 

Moreover, the security researchers have detected the flaw in the form of middleboxes, its equipment that is generally installed inside large organizations for checking the network traffic.

And according to them, if the threat actors tried to access a prohibited website, then the middlebox would reply with a “block page,” which would typically be more extensive as compared to the initial packet.

Tool to test networks made available 

This flaw has been attacking for a long time, however, the analysts were trying so hard to know all the details about this attack. 

Apart from this, the Record reached numerous country-level Computer Emergency Readiness Teams (CERT) so that they can improve the disclosure of their all verdicts.

While all the disclosure includes CERT teams in the following countries:-

  • China
  • Egypt
  • India
  • Iran
  • Oman
  • Qatar
  • Russia
  • Saudi Arabia
  • South Korea
  • The United Arab Emirates
  • The United States

Not only this but the security team also affirmed that they have reached out to various middlebox vendors and businesses, that involve Check Point, Cisco, F5, Fortinet, Juniper, Netscout, Palo Alto, SonicWall, and Sucuri.

Responsible Disclosure

Initially, an advanced copy in September 2020 was already shared, and the paper has several country-level CERTs, DDoS mitigation services, and firewall manufacturers.

However, the authorities have placed some meetings where they will discuss the mitigation, and not only this but they have been in ongoing communication with DDoS mitigation services.

Attack Damage and Defenses

In this kind of attack, generally, people ask that how much damage this attack can create. Well technically we can say that in case the threat actor can obtain the infinite amplification factor, but at only 64 kbps before the link is totally soaked, the amount of damage a threat actor can create is limited.

Defending this kind of attack is quite difficult, as the incoming flood of traffic comes over TCP port 80 and the acknowledgments are normally well-formed HTTP responses.

These systems operate under oppressive traffic loads and are sometimes misconfigured with traffic circuits that convey the same malformed TCP packet many times by the same middlebox, efficiently allowing looping DDoS attacks.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles