Kevin Bock, the lead researcher behind last August’s paper, said DDoS attackers had plenty of incentives to reproduce the attacks his team had theorized.
“Unfortunately, we weren’t surprised,” he told me, upon learning of the active attacks. “We expected that it was only a matter of time until these attacks were being carried out in the wild because they are easy and highly effective. Perhaps worst of all, the attacks are new; as a result, many operators do not yet have defenses in place, which makes it that much more enticing to attackers.”
One of the middleboxes received a SYN packet with a 33-byte payload and responded with a 2,156-byte reply. That translated to a factor of 65x, but the amplification has the potential to be much greater with more work.
Akamai researchers wrote:
Volumetric TCP attacks previously required an attacker to have access to a lot of machines and a lot of bandwidth, normally an arena reserved for very beefy machines with high-bandwidth connections and source spoofing capabilities or botnets. This is because until now there wasn’t a significant amplification attack for the TCP protocol; a small amount of amplification was possible, but it was considered almost negligible, or at the very least subpar and ineffectual when compared with the UDP alternatives.
If you wanted to marry a SYN flood with a volumetric attack, you would need to push a 1:1 ratio of bandwidth out to the victim, usually in the form of padded SYN packets. With the arrival of middlebox amplification, this long-held understanding of TCP attacks is no longer true. Now an attacker needs as little as 1/75th (in some cases) the amount of bandwidth from a volumetric standpoint, and because of quirks with some middlebox implementations, attackers get a SYN, ACK, or PSH+ACK flood for free.
Infinite Packet Storms and Complete Resource Exhaustion
Another middlebox Akamai encountered, for unknown reasons responded to SYN packets with multiple SYN packets of its own. Servers that follow TCP specifications should never respond this way. The SYN packet responses were loaded with data. Even worse, the middlebox completely disregarded RST packets sent from the victim, which are supposed to terminate a connection.
Also concerning is the finding from Bock’s research team that some middleboxes will respond when they receive any additional packet, including the RST.
“This creates an infinite packet storm,” the academic researchers wrote in August. “The attacker elicits a single block page to a victim, which causes a RST from the victim, which causes a new block page from the amplifier, which causes a RST from the victim, etc. The victim-sustained case is especially dangerous for two reasons. First, the victim’s default behavior sustains the attack on itself. Second, this attack causes the victim to flood its own uplink while flooding the downlink.”
Akamai also provided a demonstration showing the damage that occurs when an attacker targets a specific port running a TCP-based service.
“These SYN packets directed at a TCP application/service will cause that application to attempt to respond with multiple SYN+ACK packets and hold the TCP sessions open, awaiting the remainder of the three-way handshake,” Akamai explained. “As each TCP session is held in this half-open state, the system will consume sockets that will in turn consume resources, potentially to the point of complete resource exhaustion.”
Unfortunately, there’s nothing typical end users can do to block the DDoS amplification being exploited. Instead, middlebox operators must reconfigure their machines, which is unlikely in many cases. Barring that, network defenders must change the way they filter and respond to packets. Both Akamai and the academic researchers provide much more detailed instructions.
This story originally appeared on Ars Technica.
More Great WIRED Stories
