Last August academician researchers have discovered a powerful new method of knocking sites offline: a set of misconfigured servers with more than 100,000 capacity that can increase spam floods to once unimaginable proportions. These attacks can in many cases lead to an endless routing loop that causes a self-perpetuating traffic flow. Now, content delivery network Akamai says attackers are exploiting the servers to target sites in the banking, travel, gaming, media and web hosting industries.
These servers – known as middleboxes – are deployed by nation states such as China to censor restricted content and by large organizations to block sites that distribute porn, gambling and pirated downloads. Servers fail to follow Transmission Control Protocol (TCP) specifications, which require a three-way handshake—including a SYN packet sent by the client, a SYN+ACK response from the server, and an acknowledgment ACK packet from the client—before a connection is established.
This handshake helps protect TCP-based applications from being misused as boosters, since the ACK acknowledgment must come from the gaming company or other target, not from an attacker spoofing the target’s IP address. But given the need to handle asymmetric routing, where the middle box can monitor packets delivered by the client but not the final destination, which is censored or blocked, many such servers fall short of the requirement by design.
A hidden arsenal
Last August, researchers from the University of Maryland and the University of Colorado at Boulder published research showing that there are hundreds of thousands of middle devices that have the potential to deliver some of the most crippling distributed denial-of-service attacks ever seen.
For decades, people have used DDoS attacks to flood sites with more traffic or computing requests than they can handle, thereby denying service to legitimate users. Such attacks are similar to the old joke of sending more calls to the pizzeria than there are phone lines to handle.
To maximize damage and conserve resources, DDoS actors often increase the firepower of their attacks through amplification vectors. The boost works by spoofing the target’s IP address and dropping a relatively small amount of data to a misconfigured server used to resolve domain names, synchronize computer clocks, or speed up database caching. Because the response that servers automatically send is tens, hundreds, or thousands of times larger than the request, it overshoots the fake target.
The researchers said that at least 100,000 of the intermediate boxes they identified exceeded the amplification factors from DNS servers (about 54x) and Network Time Protocol servers (about 556x). The researchers said they identified hundreds of servers that increased traffic by a higher factor than misconfigured servers using memcached, a database caching system for speeding up websites that can increase traffic volume by an astonishing 51,000 times.
A day of reckoning
The researchers said at the time that they had no evidence of amplification of DDoS attacks in environments that were actively used in the wild, but they expected that it would only be a matter of time before that happened.
On Tuesday, Akamai researchers announced that the day had arrived. In the past week, Akamai researchers said they discovered multiple DDoS attacks that used middleboxes in exactly the way academic researchers had predicted. Attacks peaked at 11 Gbps and 1.5 million packets per second.