Friday, March 29, 2024

Hackers Weaponize Firewalls & Middleboxes for Reflected DDoS Attacks

Cybersecurity specialists from the University of Maryland and the University of Colorado Boulder have recently published the verdict of a flaw that they have found in the form of some middlebox models. 

They claimed that it is a term relating to computer network devices that modify, examine, filter, and manage traffic with a motive other than packet forwarding.

Not only this the experts have also noted that some of the implementations of these similar devices comprise the use of firewalls, Network Address Translators (NAT), and Deep Packet Inspection (DPI) systems.

However, in this attack, the threat actors attempting to expand a denial of service (DDoS), as this attack could send a sequence of non-standard packet streams to the middlebox, and generally it makes the users believe that the TCP handshake has finished and would enable the connection to commence.

Weaponizing Middleboxes

Nowadays, every DoS amplifications are UDP-based, and the reason for that is because TCP needs a 3-way handshake that generally hinders spoofing attacks. In general, every TCP connection originates with the client just by transmitting an SYN packet.

After investigating the whole matter, the 3-way handshake generally defends the TCP applications from being amplifiers, the reason is that because if an attacker sends an SYN packet with a root source IP address, then the SYN+ACK will generally go to the victim, and the threat actors never acquire the critical information that is present in the SYN+ACK.

TCP-based Reflective Amplified DDoS Attack Vector discovered 

Moreover, the security researchers have detected the flaw in the form of middleboxes, its equipment that is generally installed inside large organizations for checking the network traffic.

And according to them, if the threat actors tried to access a prohibited website, then the middlebox would reply with a “block page,” which would typically be more extensive as compared to the initial packet.

Tool to test networks made available 

This flaw has been attacking for a long time, however, the analysts were trying so hard to know all the details about this attack. 

Apart from this, the Record reached numerous country-level Computer Emergency Readiness Teams (CERT) so that they can improve the disclosure of their all verdicts.

While all the disclosure includes CERT teams in the following countries:-

  • China
  • Egypt
  • India
  • Iran
  • Oman
  • Qatar
  • Russia
  • Saudi Arabia
  • South Korea
  • The United Arab Emirates
  • The United States

Not only this but the security team also affirmed that they have reached out to various middlebox vendors and businesses, that involve Check Point, Cisco, F5, Fortinet, Juniper, Netscout, Palo Alto, SonicWall, and Sucuri.

Responsible Disclosure

Initially, an advanced copy in September 2020 was already shared, and the paper has several country-level CERTs, DDoS mitigation services, and firewall manufacturers.

However, the authorities have placed some meetings where they will discuss the mitigation, and not only this but they have been in ongoing communication with DDoS mitigation services.

Attack Damage and Defenses

In this kind of attack, generally, people ask that how much damage this attack can create. Well technically we can say that in case the threat actor can obtain the infinite amplification factor, but at only 64 kbps before the link is totally soaked, the amount of damage a threat actor can create is limited.

Defending this kind of attack is quite difficult, as the incoming flood of traffic comes over TCP port 80 and the acknowledgments are normally well-formed HTTP responses.

These systems operate under oppressive traffic loads and are sometimes misconfigured with traffic circuits that convey the same malformed TCP packet many times by the same middlebox, efficiently allowing looping DDoS attacks.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles