Cyber Attackers Are Taking Down Sites In A Scary New Way
Cyber attackers are ambushing companies in a way many never saw coming.
This article is more than 2 years old
Academic researchers uncovered a powerful new way for taking websites offline last August. They discovered a quantity totaling 100,000 misconfigured servers that can send hoards of garbage data to previously inconceivable volumes. In many circumstances, these assaults could result in an indefinite routing loop, resulting in a never-ending flow of traffic. Cyber attackers are now using the servers to target sites in the banking, tourism, gaming, media, and web-hosting industries.
Middlebox servers, which is the label given to such servers, are used by nation-states like China to censor banned content. They are also leveraged by large corporations to block sites that promote pornography and unlicensed downloads. Generally, middleboxes are commonly used in both public and private networks. Dedicated middlebox hardware is extensively used in enterprise environments to increase network security and performance. However, residential network routers often include a built-in firewall, NAT, and other middlebox features, as well. Middleboxes are used in cellular networks to ensure that scarce network resources are utilized efficiently and to secure client devices. However, cyber attackers have found a way to exploit these middleboxes.
It’s important to understand how the servers work to fully understand their potency and why cyber attackers are leveraging them. The most prominent aspect of middlebox servers is that the servers fail to comply with transmission control protocol rules. Such rules require a three-way handshake consisting of an SYN packet sent by the client, an SYN+ACK responder from the server, and a validation ACK packet from the client.
Because the ACK confirmation must originate from the gaming company or other target, rather than a cyber attacker impersonating the target’s IP address, this handshake prevents TCP-based apps from being used as amplifiers. Many such servers, however, eliminate the requirement due to design issues and a need to handle asymmetric routing. When asymmetric routing takes place, the middlebox can monitor packets supplied from the client but not the eventual destination that is being censored or banned.
DDoS attacks have been used for many years to overwhelm websites with more traffic or computational requests than they can handle, denying genuine users access. These types of ambushes by cyber attackers are akin to the traditional prank of sending more phone calls to the pizza joint than the establishment can handle. DDoSers frequently use amplification paths to boost the strength of their attacks. But they do it in a way so that they can at the same time conserve resources.
“Spoofing the target’s IP address and bouncing relatively small amount of data at a misconfigured server used for resolving domain names, syncing computer clocks, or speeding up database caching” is how amplification works, according to Ars Technica. The answer overwhelms the spoofed target since the servers’ responses are dozens, hundreds, or thousands of times larger than the request. Those who have been targeted by cyber attackers spoofing often say that they didn’t have any proof of middlebox DDoS amplification assaults being employed.
Unfortunately, ordinary end users have no way of stopping the DDoS amplification that is being used by cyber attackers. Operators of middleboxes must instead reconfigure their devices, which is improbable in many circumstances. If that isn’t possible, network defenders will have to adjust how they filter and respond to packets.