New DDoS Attacks Leverage TCP Amplification

  /     /     /  
Publicated : 23/11/2024   Category : security


New DDoS Attacks Leverage TCP Amplification


Attackers over the past month have been using a rarely seen approach to disrupt services at large organizations in several countries.



Cybercriminals appear to have finally figured out a way to launch highly effective distributed denial-of-service (DDoS) attacks using TCP amplification — something most attackers have typically avoided under the assumption it cannot be done efficiently.
Security vendor Radware this week said its researchers over the past 30 days have observed multiple criminal campaigns involving the use of a new type of TCP reflection attack against large organizations. The victims of these massive attacks include European sports gambling website Eurobet, Korea Telecom, Turkish financial services company Garanti, and SK Broadband of South Korea.
The attacks not only impacted the intended targets but also the networks that were used to generate the DDoS flood, causing a ripple effect that impacted many businesses around the world. The method of TCP reflection being used in the campaigns has made the attacks particularly hard to mitigate, Radware noted.
This attack is unique because it creates collateral damage, says Daniel Smith, head of security research with Radwares emergency response team. The secondary victim in this attack is actually the first to see the attack traffic.
In DDoS attacks, threat actors use different methods to try and amplify the volume of attack traffic generated by a compromised system. The goal is to try and turn small queries and packets into much larger payloads that can then be used to flood a target network.
With TCP SYN-ACK reflection, attackers send a SYN packet — designed to appear like it originated from the target networks IP address — to a wide number of random or preselected IP addresses, or reflection services. The IP addresses respond to the spoofed SYN packet with a SYN-ACK packet that is sent to the target network. If the target network does not respond in the expected manner, the reflection IP will continue to retransmit the SYN-ACK packet in an attempt to establish a three-way handshake,
Radware said
.
The extent of amplification possible depends on the number of SYN-ACK retransmits the reflection service can perform. The more times the reflection IP sends the SYN-ACK requests to the target IP, the more the amplification.
Ripple Effect
Attackers have avoided TCP reflection because they have long believed the default setting for Linux systems is five retransmits, which is not enough to amplify traffic to the extent that UDP-based reflections can, Radware said. The reality, as demonstrated by an independent security researcher in 2014, is that many devices on the Internet can be manipulated to retransmit more than 5,000 SYN-ACK packets in 60 seconds, if needed.
Such attacks can overwhelm target networks and also cause other problems for victims, Smith says. In the latest campaigns involving TCP reflection attacks, the intended targets were also the victims of improper blacklisting, Smith says.
The original spoofed SYN flood sent to the reflectors misrepresented the victims IP range, he notes. As a result of the spoofed SYN flood on the reflectors network, operators moved to blacklist networks that were misrepresented. Some network administrators, for instance, blacklisted networks like Eurobet not just because of the spoofed SYN flood from the attacker, but also the return flood of TCP RST and ICMP packets from Eurobet, Smith said.
Since the attack was spoofed, blacklisting the victims network only helps to further accomplish the attackers goals he notes. 
Because of how TCP reflection attacks work, the networks that were used as reflection services also experienced network congestion and service degradation. Many companies that were unaware of their networks being used as TCP reflectors were left wondering why they were being flooded with SYN traffic, Radware said.
From a mitigation standpoint, the most challenging aspect to dealing with a TCP reflection attack is preventing network exhaustion, Smith says.
These attacks produce high volumes of packets per second, requiring a large amount of resource from network devices to process the traffic, he notes. If resources become exhausted, networks will fail resulting in an outage.
Related Content:
Massive DDoS Attack Generates 500 Million Packets per Second
Attackers Try to Evade Defenses with Smaller DDoS Floods, Probes
3 Drivers Behind the Increasing Frequency of DDoS Attacks
7 Things to Know About Todays DDoS Attacks
Check out 
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
Account Fraud Harder to Detect as Criminals Move from Bots to Sweat Shops
.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
New DDoS Attacks Leverage TCP Amplification