Have you ever heard of middlebox? This is the name of a device that, among other functions, filters data traffic from a network. This type of computer is useful in many applications, but it can also pose a danger: Akamai has discovered attacks DDoS with 11 Gb/s spikes that used middleboxes instead of “normal” computers.
This is a new type of DDoS attack (Distributed Denial of Service attack), which is why security experts might have been surprised by the discovery. But not all: researchers from the University of Maryland and the University of Colorado reported in August 2021 that middleboxes could be used in such actions. But how?
DDoS attacks just got more sophisticated
DDoS attacks aim to bring down a server or system with an excessive number of requests. In a rough comparison, it is as if a very large number of heavy boxes were placed on a truck to the point that the vehicle could not move.
One of the strategies used in DDoS attacks is the “recruitment” of computers previously infected with malware that allows the equipment to be used for this purpose.
Ingenious, no? But the techniques for executing DDoS attacks have gotten even more sophisticated over time. Proof of this is the emergence of a “reflective amplification” strategy.
Briefly, the method works like this: the attacker sends packets to servers on the internet; these, in turn, respond with larger packets, which, thanks to an IP spoofing technique, are sent to the target of the attack, not the origin. As a result, the target becomes overloaded and becomes unresponsive.
Reflective amplification DDoS attacks typically involve servers whose services are based on UDP (User Datagram Protocol). This is because this type of protocol follows a two-stage communication process: a request is made to the server; it simply responds.
With TCP-based services it is different, as this type of connection requires a three-stage handshake (checking procedure between source and destination) which, as such, makes it difficult to use the IP spoofing technique.
How? The additional stage consists of a confirmation that the computer that made the initial request must make to the machine that responded; with IP spoofing, the confirmation request is not sent to the computer that initiated the communication, so there is no return.
Ataques via middlebox
Lo and behold, in August 2021, researchers at the Universities of Maryland and Colorado published a study warning that a large number of middleboxes have a design flaw that causes the equipment to erroneously conclude that a handshake has been completed, so the three stages are not required.
This means that the IP spoofing technique can be used in middleboxes. Thus, hundreds or thousands of these devices could be “scaled” to respond to a target with large data packets, overloading it.
At the time the study was released, there was no evidence of middlebox-based DDoS attacks. But, in the understanding of the researchers, it was a matter of time for this to happen. And it happened.
Akami reported that last week, several DDoS attacks involving middleboxes were detected. These actions generated spikes of up to 11 Gb/s (gigabits per second) and 1.5 million packets against targets.
While these attacks aren’t very impactful—really problematic attacks can break the terabit-per-second barrier—the discovery raises concern for the potential for more harmful actions to be taken going forward.
Fortunately, the problem can be prevented. It is not a simple task to make adjustments to middleboxes — in some cases, this work may even be unfeasible — but the method researchers and Akamai say that there are several possible solutions.
With information: Ars Technica.