[ih] Weaponizing Middleboxes for TCP Reflected Amplification (was Fwd: STD 7, RFC 9293 on Transmission Control Protocol (TCP))

[the keyboard of geoff goodfellow]

Weaponizing Censorship Infrastructure

Abstract

Reflective amplification attacks are a powerful tool in the arsenal of a
DDoS attacker, but to date have almost exclusively targeted UDP-based
protocols. In this paper, we demonstrate that non-trivial TCP-based
amplification is possible and can be orders of magnitude more effective
than well-known UDP-based amplification. By taking advantage of
TCP-noncompliance in network middleboxes, we show that attackers can induce
middleboxes to respond and amplify network traffic. With the novel
application of a recent genetic algorithm, we discover and maximize the
efficacy of new TCP-based reflective amplification attacks, and present
several packet sequences that cause network middleboxes to respond with
substantially more packets than we send. We scanned the entire IPv4
Internet to measure how many IP addresses permit reflected amplification.
We find hundreds of thousands of IP addresses that offer amplification
factors greater than 100×. Through our Internet-wide measurements, we
explore several open questions regarding DoS attacks, including the root
cause of so-called mega amplifiers. We also report on network phenomena
that causes some of the TCP-based attacks to be so effective as to
technically have infinite amplification factor (after the attacker sends a
constant number of bytes, the reflector generates traffic indefinitely). We
have made our code publicly available.

Date Aug 11, 2021 1:30 PM
Event USENIX Security 2021
Location USENIX Security 2021

https://www.cs.umd.edu/~kbock/talk/usenix21/

---------- Forwarded message ---------
From: John Kristoff via Internet-history <internet-history at elists.isoc.org>
Date: Wed, Aug 24, 2022 at 6:29 AM
Subject: Re: [ih] STD 7, RFC 9293 on Transmission Control Protocol (TCP)
To: <internet-history at elists.isoc.org>

On Wed, 24 Aug 2022 09:58:11 +0200
Craig Partridge via Internet-history <internet-history at elists.isoc.org>
wrote:

> I have not tracked closely in a while but believe that we haven't
> seen a new attack in over 10 years and that various TCP tweaks have
> dealt with these issues.

While not an attack directly on TCP, it has been shown there is
a way to conduct source address-spoofed TCP-based amplification
and reflection attacks with relatively little effort.  The
problem is not in TCP itself, but in how middle boxes maintain
TCP state for the end points between boundaries, or don't
maintain state as is the case here.  Most attacks are mostly now found
in the larger tweaks.

For those that haven't seen this paper, it is worth a look, and may
result in a lot of "I told you so's" for those who have been skeptical
of middle boxes.  :-)

<https://www.cs.umd.edu/~kbock/talk/usenix21/>

John
-- 
Internet-history mailing list
Internet-history at elists.isoc.org
https://elists.isoc.org/mailman/listinfo/internet-history

-- 
Geoff.Goodfellow at iconia.com
living as The Truth is True