Hackers Find a New Way to Deliver Devastating DDoS Attacks

Cybercriminals are exploiting a fleet of more than 100,000 misconfigured servers to knock websites offline.
3D render of data server warehouse
“We expected that it was only a matter of time until these attacks were being carried out in the wild because they are easy and highly effective," says Kevin Bock, a researcher at the University of Maryland.Photograph: vchal/Getty Images

Last August, academic researchers discovered a potent new method for knocking sites offline: a fleet of misconfigured servers more than 100,000 strong that can amplify floods of junk data to once-unthinkable sizes. These attacks, in many cases, could result in an infinite routing loop that causes a self-perpetuating flood of traffic. Now, content-delivery network Akamai says attackers are exploiting the servers to target sites in the banking, travel, gaming, media, and web-hosting industries.

These servers—known as middleboxes—are deployed by nation-states like China to censor restricted content and by large organizations to block sites pushing porn, gambling, and pirated downloads. The servers fail to follow transmission control protocol (TCP) specifications that require a three-way handshake—comprising a SYN packet sent by the client, a SYN+ACK response from the server, and a confirmation ACK packet from the client—before a connection is established.

This handshake helps keep TCP-based apps from being abused as amplifiers because the ACK confirmation must come from the gaming company or other target rather than an attacker spoofing the target’s IP address. But given the need to handle asymmetric routing, in which the middlebox can monitor packets delivered from the client but not the final destination that’s being censored or blocked, many such servers drop the requirement by design.

A Hidden Arsenal

Last August, researchers at the University of Maryland and the University of Colorado at Boulder published research showing that there were hundreds of thousands of middleboxes that had the potential to deliver some of the most crippling distributed denial of service attacks ever seen.

For decades, people have used DDoS attacks to flood sites with more traffic or computational requests than they can handle, thus denying services to legitimate users. Such attacks are similar to the old prank of directing more calls to the pizza parlor than it has phone lines to handle.

To maximize the damage and conserve resources, DDoS actors often increase the firepower of their attacks though amplification vectors. Amplification works by spoofing the target’s IP address and bouncing a relatively small amount of data at a misconfigured server used for resolving domain names, syncing computer clocks, or speeding up database caching. Because the response the servers automatically send is dozens, hundreds, or thousands of times bigger than the request, it overwhelms the spoofed target.

The researchers said that at least 100,000 of the middleboxes they identified exceeded the amplification factors from DNS servers (about 54x) and Network Time Protocol servers (about 556x). The researchers said that they identified hundreds of servers that amplified traffic at a higher multiplier than misconfigured servers using memcached, a database caching system for speeding up websites that can increase traffic volume by an astounding 51,000x.

Day of Reckoning

The researchers said at the time that they had no evidence of middlebox DDoS amplification attacks being used actively in the wild but expected it would only be a matter of time until that happened.

On Tuesday, Akamai researchers reported that day has come. Over the past week, the Akamai researchers said, they have detected multiple DDoS attacks that used middleboxes precisely the way the academic researchers had predicted. The attacks peaked at 11 Gbps and 1.5 million packets per second.

While these were small compared to the biggest DDoS attacks, both teams of researchers expect the attacks to get larger as bad actors begin to optimize their attacks and identify more middleboxes that can be abused (the academic researchers didn’t release that data to prevent it from being misused).

Kevin Bock, the lead researcher behind last August’s paper, said DDoS attackers had plenty of incentives to reproduce the attacks his team had theorized.

“Unfortunately, we weren’t surprised,” he told me, upon learning of the active attacks. “We expected that it was only a matter of time until these attacks were being carried out in the wild because they are easy and highly effective. Perhaps worst of all, the attacks are new; as a result, many operators do not yet have defenses in place, which makes it that much more enticing to attackers.”

One of the middleboxes received a SYN packet with a 33-byte payload and responded with a 2,156-byte reply. That translated to a factor of 65x, but the amplification has the potential to be much greater with more work.

Akamai researchers wrote:

Volumetric TCP attacks previously required an attacker to have access to a lot of machines and a lot of bandwidth, normally an arena reserved for very beefy machines with high-bandwidth connections and source spoofing capabilities or botnets. This is because until now there wasn’t a significant amplification attack for the TCP protocol; a small amount of amplification was possible, but it was considered almost negligible, or at the very least subpar and ineffectual when compared with the UDP alternatives.

If you wanted to marry a SYN flood with a volumetric attack, you would need to push a 1:1 ratio of bandwidth out to the victim, usually in the form of padded SYN packets. With the arrival of middlebox amplification, this long-held understanding of TCP attacks is no longer true. Now an attacker needs as little as 1/75th (in some cases) the amount of bandwidth from a volumetric standpoint, and because of quirks with some middlebox implementations, attackers get a SYN, ACK, or PSH+ACK flood for free.

Infinite Packet Storms and Complete Resource Exhaustion

Another middlebox Akamai encountered, for unknown reasons responded to SYN packets with multiple SYN packets of its own. Servers that follow TCP specifications should never respond this way. The SYN packet responses were loaded with data. Even worse, the middlebox completely disregarded RST packets sent from the victim, which are supposed to terminate a connection.

Also concerning is the finding from Bock’s research team that some middleboxes will respond when they receive any additional packet, including the RST.

“This creates an infinite packet storm,” the academic researchers wrote in August. “The attacker elicits a single block page to a victim, which causes a RST from the victim, which causes a new block page from the amplifier, which causes a RST from the victim, etc. The victim-sustained case is especially dangerous for two reasons. First, the victim’s default behavior sustains the attack on itself. Second, this attack causes the victim to flood its own uplink while flooding the downlink.”

Akamai also provided a demonstration showing the damage that occurs when an attacker targets a specific port running a TCP-based service.

“These SYN packets directed at a TCP application/service will cause that application to attempt to respond with multiple SYN+ACK packets and hold the TCP sessions open, awaiting the remainder of the three-way handshake,” Akamai explained. “As each TCP session is held in this half-open state, the system will consume sockets that will in turn consume resources, potentially to the point of complete resource exhaustion.”

Unfortunately, there’s nothing typical end users can do to block the DDoS amplification being exploited. Instead, middlebox operators must reconfigure their machines, which is unlikely in many cases. Barring that, network defenders must change the way they filter and respond to packets. Both Akamai and the academic researchers provide much more detailed instructions.

This story originally appeared on Ars Technica.


More Great WIRED Stories