Hackers Weaponize Firewalls & Middleboxes for Reflected DDoS Attacks

Cybersecurity specialists from the University of Maryland and the University of Colorado Boulder have recently published the verdict of a flaw that they have found in the form of some middlebox models. 

They claimed that it is a term relating to computer network devices that modify, examine, filter, and manage traffic with a motive other than packet forwarding.

Not only this the experts have also noted that some of the implementations of these similar devices comprise the use of firewalls, Network Address Translators (NAT), and Deep Packet Inspection (DPI) systems.

However, in this attack, the threat actors attempting to expand a denial of service (DDoS), as this attack could send a sequence of non-standard packet streams to the middlebox, and generally it makes the users believe that the TCP handshake has finished and would enable the connection to commence.

Weaponizing Middleboxes

Nowadays, every DoS amplifications are UDP-based, and the reason for that is because TCP needs a 3-way handshake that generally hinders spoofing attacks. In general, every TCP connection originates with the client just by transmitting an SYN packet.

After investigating the whole matter, the 3-way handshake generally defends the TCP applications from being amplifiers, the reason is that because if an attacker sends an SYN packet with a root source IP address, then the SYN+ACK will generally go to the victim, and the threat actors never acquire the critical information that is present in the SYN+ACK.

TCP-based Reflective Amplified DDoS Attack Vector discovered

Moreover, the security researchers have detected the flaw in the form of middleboxes, its equipment that is generally installed inside large organizations for checking the network traffic.

And according to them, if the threat actors tried to access a prohibited website, then the middlebox would reply with a “block page,” which would typically be more extensive as compared to the initial packet.

Tool to test networks made available

This flaw has been attacking for a long time, however, the analysts were trying so hard to know all the details about this attack. 

Apart from this, the Record reached numerous country-level Computer Emergency Readiness Teams (CERT) so that they can improve the disclosure of their all verdicts.

While all the disclosure includes CERT teams in the following countries:-

• China
• Egypt
• India
• Iran
• Oman
• Qatar
• Russia
• Saudi Arabia
• South Korea
• The United Arab Emirates
• The United States

Not only this but the security team also affirmed that they have reached out to various middlebox vendors and businesses, that involve Check Point, Cisco, F5, Fortinet, Juniper, Netscout, Palo Alto, SonicWall, and Sucuri.

Responsible Disclosure

Initially, an advanced copy in September 2020 was already shared, and the paper has several country-level CERTs, DDoS mitigation services, and firewall manufacturers.

However, the authorities have placed some meetings where they will discuss the mitigation, and not only this but they have been in ongoing communication with DDoS mitigation services.

Attack Damage and Defenses

In this kind of attack, generally, people ask that how much damage this attack can create. Well technically we can say that in case the threat actor can obtain the infinite amplification factor, but at only 64 kbps before the link is totally soaked, the amount of damage a threat actor can create is limited.

Defending this kind of attack is quite difficult, as the incoming flood of traffic comes over TCP port 80 and the acknowledgments are normally well-formed HTTP responses.

These systems operate under oppressive traffic loads and are sometimes misconfigured with traffic circuits that convey the same malformed TCP packet many times by the same middlebox, efficiently allowing looping DDoS attacks.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.