TCP Middlebox Reflection: new DDoS attack vector

Posted date 26/05/2022
New DDoS attack vector: TCP Middlebox Reflection

Distributed denial-of-service attacks aim to disrupt the normal function of a server. In the most common use case (although not the only one), cyber attackers use botnets to send thousands and thousands of requests and provoke this type of problem, but recently a new attack has been discovered that can exploit even low-resource devices. One variant is DrDoS, which seeks to ensure that the request or access packets to the service to be used as the basis for the attack are created with a small size in order to generate as many of them as possible, subsequently using an amplification factor to increase the size and complexity of the response packets.

In August 2021, researchers at the University of Maryland and the University of Colorado in Boulder published research in which they showed that there were thousands of middleboxes capable of carrying out DrDoS attacks on TCPs. This new method of TCP reflection allowed the amplification of attacks to increase, producing orders of magnitude more amplified than the existing UDP based attacks.

Middleboxes are network devices of equipment that are responsible for transforming, inspecting and filtering traffic for purposes other than sending packets, such as firewalls, NAT, balanceadores de carga, IDS, etc. They are also used in some countries for the purpose of censoring restricted content, as well as in the security systems of companies and government agencies.

The results of this investigation suggest that this attack is as dangerous as the biggest amplification based attacks on UDPs already in existence. They detected hundreds of IP addresses with middleboxes that offer a greater amplification factor than memcached (51.000x), and hundreds of thousands of IP addresses that offer amplification factors greater than DNS and NTP.

Factores de amplificación del ataque

Figure 1. Amplification factors of the attack. Source: Geneva.

One example of such an attack has already occurred, as reported in Akamai's post, in which it reports the detection and analysis of a series of reflected TCP attacks, with a maximum of 11 Gbps at 1.5 Mpps (million packets per second), targeting its customers, and employing the TCP Middlebox Reflection technique. In addition, Akami Security Operations Command Center has monitored multiple middlebox attack campaigns, aimed at the banking, travel, gaming, media and Internet storage sectors.


Such attacks occur because the affected servers do not follow TCP specifications. This protocol, before a connection is authorised to be established, requires a triple handshake, consisting of a SYN packet sent by the client, a SYN+ACK response from the server and a confirmation by an ACK packet from the client. This handshake limits the possibility for the application based on TCP to be used as an amplifier as the ACK confirmation must come from the company with which the connection is trying to be established. In the case of TCP Middlebox Reflection, this would not happen because poorly configured servers send the packets without the recipient performing the handshake.

Attackers could craft multiple TCP packet sequences containing HTTP request headers; in these HTTP headers, a domain name for a blocked site could be used as the host header. When these packets are received by the middlebox that is configured not to allow access to the site, the middlebox responds, usually with HTTP headers and, in some cases, with full HTML pages. These responses give attackers an opportunity for reflection and, sometimes, and significant amplification factor.

Tipos de ataques

Figure 2. Types of attacks: Source: Geneva (thick arrows show the amplification and red arrows show the packets that trigger the amplification).

Attackers could increase the power of their attacks and save resources through amplification vectors, spoofing the target IP and sending a relatively small packet of data to a misconfigured server. Akamai observed that a single SYN packet with a 33-byte payload produced a response of 2,156 bytes, increasing its size by 6.533%. Some middlebox implementations allow attackers to add SYN, ACK, or PSH+ACK flooding to the attack as well as the TCP volumetric attack itself.

Scanning and detection

The paper with the Usenix research describes the two methods used for scanning IPv4 addresses to detect potentially vulnerable middleboxes:

  • SYN packet with numeric sequence s, followed by PSH+ACK with numeric sequence s+1 containing an HTTP GET payload request for a forbidden resource (a URL that the middlebox is configured to block).
  • SYN packet with a payload HTTP GET request for a forbidden resource.

Using these scanning methods, an analysis carried out by Shadowserver reported a figure of 18.8 million IPv4 addresses vulnerable to TCP DrDoS attacks in middleboxes. Divided by country, China, Iran and Indonesia occupy the top three spots respectively.

INCIBE-CERT is evaluating the information related to middlebox device IPs in Spain which could be used to carry out DDoS attacks using this new amplification technique.

Recommendations and solutions

Recommendations to mitigate the effects of this type of DrDoS attack, which could affect users/organisations that have a poorly configured or abused middlebox are:

  • Limit the size of blocking responses made by middleboxes and choose to return a simple RST for forbidden TCP connections in order to reduce the amplification of attacks.
  • Encourage bidirectional middleboxes, which allow traffic from both the client and the server to be seen and are capable of inferring modifications in the packets, which could be used in spoofing techniques to change the origin of the communications.
  • Configure middleboxes to only respond to and receive traffic from the region in which they are configured.
  • Disable HTTP traffic responses, as this is an obsolete protocol detrimental to HTTPS.
  • In the case of firewalls, access control lists (ACLs) could also be used to block known bad patterns, e.g. a rule like the one below, to discard any SYN packet coming from port 80 with a packet length greater than 100: deny tcp any eq 80 host x.x.x.x.x match-all +syn -ack packet-length gt 100.
  • The basis of this attack on middleboxes lies in a lack of control over the state of TCP communication. SYN packets are used in this communication when establishing the three-way handshake and only in the first one sent by each party. They are not used for actual data transfer, so any packet with the SYN flag enabled and exceeding a certain size could effectively be detected and blocked.
  • Anti-spoofing systems or modules aimed at detecting packets out of order.

Since middleboxes spoof the IP address of the traffic they generate, this means that the attacker could make the source IP address of the reflected traffic to be any IP address behind the middlebox.

To solve this problem in general, it would be desirable for all manufacturers to upgrade their middleboxes and for all organisations that have deployed such a machine to also upgrade their infrastructure. As such, it is recommended to wait for the relevant security updates for devices.