Weaknesses in the implementation of TCP protocol in middleboxes and censorship infrastructure could be weaponized as a vector to stage reflected denial of service (DoS) amplification attacks against any target, surpassing many of the existing UDP-based amplification factors to date.
Detailed by a team of scholars from the University of Maryland and the University of Colorado Boulder at the USENIX Security Symposium, volumetric attacks take advantage of boxes within the TCP network - such as firewalls, blocking systems, and an in-depth package of test boxes (DPI) - to expand the network. with hundreds of thousands of IP addresses providing more enhancements than DNS, NTP, and Memcached.
The study, which received the prestigious Paper Award at the conference, is the first of its kind to explain the process of making DDoS demonstrate an attack on increasing the TCP rule by abusing the wrong configuration of inboxes, a method considered effective in preventing spoofing attacks.
Enhanced aggregated attacks are a form of DoS attack in which the enemy uses the UDP protocol connection mode with unused applications to properly configure open servers to bypass a targeted server or network with a flood of packets, causing disruption or providing the surrounding infrastructure is not available. This is especially true when the response from a compromised service is greater than a spoofed request, which can be used to send thousands of these requests, thus greatly increasing the size and bandwidth delivered to the target.
While the expansion of DoS traditionally is based on UDP due to problems arising from the three-way TCP handshake to set up TCP / IP connections via an IP-based network (SYN, SYN + ACK, and ACK), researchers found that a large number of central boxes network does not comply with the TCP standard, and that "can respond to large-page requests with large pages, even if there is no valid TCP connection or handshake," converting devices into attractive targeting DoS attacks.
"The middle boxes are usually not compatible with TCP by design: most central boxes try to [manage] the asymmetrical route, where the middle box can only see one side of the pockets in the connection (e.g., client on server)," the researchers said. "But this feature allows them to attack: if the inboxes contain content based on one side of the connection, the attacker can disrupt one side of the three-way TCP handshake, and ensure that the middle box has a valid connection."
Put it differently, a method that tricks the middle box into submitting a response without completing the three-way handshake, after which it uses access to restricted domains such as pornography, gambling, and file sharing sites, causing the site to respond with a block page, which may be larger than tested applications.
Moreover, these magnified responses do not appear mainly in the middle boxes, the vast majority of those network surveys are nationwide research tools, highlighting the role played by those infrastructure to empower governments to press access to information within their borders, and worse, allow opponents to use communication tools to attack any victim online.
"National research infrastructure is available at high-speed ISPs, and is capable of transmitting and capturing data at very high bandwidths," the researchers said. "This allows the attacker to increase the amount of traffic without worrying about the volume of the magnifier. Second, the large pool of source IP addresses that can be used to initiate augmentation attack makes it difficult for victims to block just a handful of indicators. The IP used in their country has become an amplifier. "
"The middle boxes present unexpected, yet undetectable threats that attackers can use to attack the powerful DoS," the researchers said. "Protecting the Internet from these threats will require concerted efforts from manufacturers and intermediate electricians."
Although the extension of DoS is traditionally based on UDP due to problems arising from the three-way TCP handshake to set up TCP / IP relationships over an IP-based network (SYN, SYN + ACK, and ACK), scientists found that a large number of boxes in-network networks are not compatible with standard TCP, and that they can “respond to applications that have been tested by large block pages, even if there are no official TCP affiliates or handshakes,” converting products into a powerful DoS attack to boost power.
“Medium boxes are generally not compatible with TCP in style: most central boxes try to [maintain] an uneven path, where the middle box can only see one course of packets in connection (e.g., client to server),” explains the scientists. "But this feature opens them up to attack: if the middle boxes insert content content based solely on element 1 of the relationship, the attacker may interfere with one aspect of the three-way TCP handshake, and beg the middle box that there is a valid connection."
In addition, a series of experiments found that these enhanced responses came mainly from intermediate boxes, which included research gadgets and fireplaces in companies, highlighting the role played by this type of infrastructure to enable governments to restrict data access to their borders, and worse, allowing opponents to disarm social media to attack anyone.
"The state-of-the-art surveillance infrastructure is located at high ISPs, and is capable of sending and injecting data on high-bandwidth unbelievably," the researchers reported. “This allows the attacker to increase the number of vehicles without having to pressurize the amplifier. Second, a large pool of IP addresses that can be hired to deliver escalation attacks helps make it harder for victims to simply block a handful of indicators. Country explorers correctly incorporate standard IP addresses within their area as an opportunity extension. ”
"Middleboxes presents an unexpected, yet unused threat that attackers can use force to launch a strong DoS attack," the researchers added. "Protecting the Internet from these threats will require a concerted effort by the many providers and staff of the central box."
Post a Comment