Aug 19 2021

Great Firewall Ready to Unleash ‘Gigantic’ DDoS—so are Other Middleboxes

Category: DDoS,Information SecurityDISC @ 12:51 pm
Great Firewall Ready to Unleash ‘Gigantic’ DDoS—so are Other Middleboxes

Researchers have disclosed a nasty new way for bad people to mess up the internet for the rest of us. They’ve found a fantastically powerful reflective-amplification attack technique that could easily be used for distributed denial of service (DDoS).

You’ll be pleased to know the researchers haven’t wasted their time dreaming up a fancy name or a logo. On the other hand, they’re far from hopeful that the problems can be fixed.

Nation-states would have to fix their firewalls, which ain’t gonna happen. In today’s SB Blogwatch, this is why we can’t have nice things.

Your humble blogwatcher curated these bloggy bits for your entertainment.

‘Infinite’ Amplification Ahoy

What’s the craic? Catalin Cimpanu reports—“Firewalls and middleboxes can be weaponized for gigantic DDoS attacks”:

Weaponizing this attack is relatively simple”
Academics said they discovered a way to abuse the TCP protocol, firewalls, and other network middleboxes to launch giant distributed denial of service (DDoS) attacks. 
 The research is the first of its kind to describe a method to carry out DDoS reflective amplification attacks via the TCP protocol, previously thought to be unusable for such operations.


Reflective amplification 
 happens when an attacker sends network packets to a third-party server on the internet, the server processes and creates a much larger response packet, which it then sends to a victim instead of the attacker. 
 The amplification factor for these TCP-based attacks is also far larger than UDP protocols, making TCP protocol abuse one of the most dangerous forms of 
 DDoS.


The flaw they found was in the design of middleboxes, which are equipment installed inside large organizations that inspect network traffic. 
 If the attacker tried to access a forbidden website, then the middlebox would respond with a “block page,” which would typically be much larger than the initial packet—hence an amplification effect. 
 Weaponizing this attack is relatively simple.

Distributed Denial of Service (DDoS) Attacks: Classification, Attacks, Challenges and Countermeasures

Tags: 800Gbps ransom DDoS, DDoS D/TLS, Gigantic DDoS, Great Firewall

Mar 21 2021

Dirt Cheap DDoS for Hire, via D/TLS Amplification

Category: DDoS,Information SecurityDISC @ 10:33 pm
Dirt Cheap DDoS for Hire, via D/TLS Amplification

A new way of sending powerful denial of service traffic emerged this week. Malefactors are now misusing servers that talk Datagram Transport Layer Security (D/TLS).

Typified by Cisco’s Netscaler ADC product, before a patch was released in January, some D/TLS servers don’t check for forged requests. That allows scrotes to misuse these high-bandwidth servers to deny internet service to people they want to extort money from.

This possibly includes Sony, whose LittleBigPlanet service has been AWOL for a week. In today’s SB Blogwatch, we ask the question.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: But is it art?

Dirty Deeds: DDoS D/TLS

What’s the craic? Dan Goodin reports in—“~4,300 publicly reachable servers are posing a new DDoS hazard to the Internet”:

 DDoSes are attacks that flood a website or server with more data than it can handle. The result is a denial of service to people trying to connect to the service. As DDoS-mitigation services develop protections 
 the criminals respond with new ways to make the most of their limited bandwidth.


In so-called amplification attacks, DDoSers send requests of relatively small data sizes to certain types of intermediary servers. 
 DDoS-for-hire services [are] adopting a new amplification vector 
 D/TLS, which (as its name suggests) is essentially the Transport Layer Security for UDP data packets.


The biggest D/TLS-based attacks Netscout has observed delivered about 45 Gbps of traffic. The people responsible for the attack combined it with other amplification vectors to achieve a combined size of about 207 Gbps.


Abusable D/TLS servers are the result of misconfigurations or outdated software that causes an anti-spoofing mechanism to be disabled. While the mechanism is built in to the D/TLS specification, hardware including the Citrix Netscaler Application Delivery Controller didn’t always turn it on by default.

Dirt Cheap DDoS for Hire, via D/TLS Amplification

Tags: DDoS D/TLS