Hackers are leveraging more than 100,000 misconfigured servers to take websites offline. 

What’s happening

In August of 2021, cyber security researchers uncovered a new and highly effective means of taking websites offline. The method involves use of misconfigured servers that can expand masses of “junk” data to once unthinkable sizes.

All of this data can circulate in an infinite routing loop that results in a continuous, self-perpetuating stream of web traffic. 

At present, security researchers believe that hackers are using this technique to target websites in the banking, travel, gaming, media and web-hosting industries. 

Technical details

Servers involved in this scheme are known as “middleboxes” and are often deployed by nation-states in order to sensor restricted content, or by organizations that wish to block untoward or unprofessional content. 

The servers do not follow the transmission control protocol (TCP) specifications that effectively require a three-way “agreement”. The protocol specifications require an SYN packet sent by the client, a SYN + ACK response from the server, and a client-side confirmation ACK packet prior to establishing a connection. 

This modus operandi prevents TCP-based apps from being abused as amplifiers, as the ACK verification must derive from the target organization, rather than a hacker who manages to spoof an IP address. 

Research details

Researchers have observed hundreds of thousands of middleboxes with the potential to launch some of the most distributed denial of service attacks ever witnessed. 

Although hackers have used DDoS attacks for decades, this attack significantly amplifies the effects. Amplification occurs via the spoofing of a target’s IP address and the bouncing of a fairly small amount of data at a misconfigured server using a revolving group of assorted practices. Due to the fact that the response the servers automatically send is dozens, hundreds or thousands of times bigger than the request, the spoofed target is quickly overwhelmed. 

Middlebox amplification attacks – potential

When Middlebox attacks were first described by researchers, they had not yet been seen in the wild. But researchers anticipated that it would only be a matter of time. They were right. 

Recently, researchers reported detection of multiple DDoS attacks that leverage middleboxes in the exact way that researchers had initially predicted. Attacks peaked at 11 Gbps and 1.5 million packets per second. 

Although the observed attacks were small, as compared with the largest known DDoS attacks, researchers expect that attacks will increase in size as threat actors begin to optimize strategies. It’s predicted that threat actors will identify additional middleboxes that can be abused. 

Experts state that attackers have plenty of motivation to move forward with these attacks. 

The infinite packet storm

Academic researchers have described this DDoS disruption as creating “an infinite packet storm”. Broadly speaking, there’s not much that an end user can do in order to block the DDoS amplification under exploit. Rather, network defenders are encouraged to rethink how they filter and respond to packets.

For more information about DDoS threats, see CyberTalk.org’s past coverage.

Lastly, to receive cutting-edge cyber security news, insights, best practices and analyses in your inbox each week, sign up for the CyberTalk.org newsletter.