Great Firewall Ready to Unleash ‘Gigantic’ DDoS—so are Other Middleboxes - Security Boulevard

Great Firewall Ready to Unleash ‘Gigantic’ DDoS—so are Other Middleboxes

Researchers have disclosed a nasty new way for bad people to mess up the internet for the rest of us. They’ve found a fantastically powerful reflective-amplification attack technique that could easily be used for distributed denial of service (DDoS).

You’ll be pleased to know the researchers haven’t wasted their time dreaming up a fancy name or a logo. On the other hand, they’re far from hopeful that the problems can be fixed.

Nation-states would have to fix their firewalls, which ain’t gonna happen. In today’s SB Blogwatch, this is why we can’t have nice things.

Your humble blogwatcher curated these bloggy bits for your entertainment.

‘Infinite’ Amplification Ahoy

What’s the craic? Catalin Cimpanu reports—“Firewalls and middleboxes can be weaponized for gigantic DDoS attacks”:

Weaponizing this attack is relatively simple
Academics said they discovered a way to abuse the TCP protocol, firewalls, and other network middleboxes to launch giant distributed denial of service (DDoS) attacks. … The research is the first of its kind to describe a method to carry out DDoS reflective amplification attacks via the TCP protocol, previously thought to be unusable for such operations.

Reflective amplification … happens when an attacker sends network packets to a third-party server on the internet, the server processes and creates a much larger response packet, which it then sends to a victim instead of the attacker. … The amplification factor for these TCP-based attacks is also far larger than UDP protocols, making TCP protocol abuse one of the most dangerous forms of … DDoS.

The flaw they found was in the design of middleboxes, which are equipment installed inside large organizations that inspect network traffic. … If the attacker tried to access a forbidden website, then the middlebox would respond with a “block page,” which would typically be much larger than the initial packet—hence an amplification effect. … Weaponizing this attack is relatively simple.

But who might weaponize it? Emma Woollacott calls it a “Nation-state threat”:

Highly unlikely scenario
A new type of … DDoS attack could allow nation-state actors to censor internet access and target any website by abusing middleboxes. A team from the University of Maryland and the University of Colorado Boulder used an artificial intelligence algorithm to reveal the technique.

Most nation-state censorship infrastructure can currently be exploited in this way, along with many off-the-shelf commercial firewalls. … Last September, the researchers privately shared their findings with a number of national computer emergency readiness teams (CERTs), DDoS mitigation services, and firewall manufacturers. However … fixing the problem would … require nations to weaken their censorship infrastructure — a highly unlikely scenario.

Horse’s mouths? Kevin Bock, Abdulrahman Alaraj, Yair Fax, Kyle Hurley, Eric Wustrow and Dave Levin paper over the cracks—“Weaponizing Middleboxes for TCP Reflected Amplification”:

Technically infinite
We found multiple types of middlebox misconfiguration in the wild that can lead to technically infinite amplification for the attacker: By sending a single packet, the attacker can initiate an endless stream of packets to the victim. … Censorship infrastructure poses a greater threat to the broader Internet than previously understood. Even benign deployments of firewalls and intrusion prevention systems in non-censoring nation-states can be weaponized.

We scanned the entire IPv4 Internet a total of 35 times [and] found hundreds of thousands of IP addresses that exceeded amplification factors from DNS and NTP, and hundreds that offered amplification factors [that are] technically infinite. … We found amplifiers that, once triggered by a single packet sequence from the attacker, will send an endless stream of packets to the victim. In our testing, some of these packet streams lasted for days.

Unfortunately, there is only so much we can do. Completely fixing this problem will require countries to invest money in changes that could weaken their censorship infrastructure, something we believe is unlikely.

ELI5? raymorris obliges:

Using up all his bandwidth
Normally you can’t spoof IP addresses with TCP (things like web sites) because starting a connection requires exchanging greetings. The great firewall of China and some other [middleboxes] don’t confirm to the spec.

You can say to the Great Firewall of China, “This is Bob, please send me [pr0n],” and the GFW will send a block page to Bob — even though Bob never said hello. Do that 10 million times and the GFW will send ten million copies the of the block page to Bob, using up all his bandwidth.

What’s all this about artificial intelligence? One of the researchers, Dave Levin—u/dml-at-umd—is glad you asked:

Breaking firewalls
Glad you asked! This arose from one of our other ongoing projects, Geneva: a genetic algorithm that trains against nation-state censors to automatically learn how to evade censorship … (censorship.ai). During this work, we noticed that we would send small amounts of data through censoring firewalls but sometimes get large responses. This led us to the idea of re-tooling Geneva to find amplification attacks.

This isn’t something that can just be patched away. The middleboxes are (for the most part) not acting buggy; rather, they are doing what they are designed to do. The problem is the design itself: they assume (largely out of necessity) that they might not have seen packets that end-hosts sent, and so if their state doesn’t match what they’re seeing (e.g., if they didn’t see the TCP three-way handshake), they’ll often assume they just failed to see it, and act as if it was there all along. Turning this off risks breaking firewalls that miss packets due, e.g., to asymmetric routes.

So the design is buggy? gweihir has been there, done that:

Stay tuned
If you want to inject traffic into a TCP connection in a stateless manner, you are just asking for trouble. That is about the worst thing you can do. And look, trouble found them. … There is a reason why anybody with a minimal clue uses a proxy when they want to transform traffic data.

They probably did not understand what they were doing _and_ tried to do it on the cheap in addition. They created a big mess as a result, which really is no surprise.

The way to do this is to have a load-balancer in front that can handle the traffic (which you need anyways) and then have a proxy-farm for the individual connections. Not that hard to get right, but you need to do it and invest the effort and money. Incidentally, they probably already have that set-up anyways and just failed on the proxy design side.

What they did instead of doing it right was to try a cheap hack and that backfired spectacularly, as expected. … That is a pretty serious fail. This mess also comes with a pretty bad reputation risk: Some people will try reflector attacks not to damage the target but to damage China’s reputation. Stay tuned.

Sounds like swords into plowshares. u/pixl_graphix has this evil suggestion:

Flooding the infrastructure
This might be an interesting way to get the middleware to attack itself, taking down the censoring platform. If you know the IP/hostname of multiple [middleboxes] you could pit said middleware against itself, flooding the infrastructure.

And jeroenhd thinks a step further:

Do some serious damage
I’m kind of wondering what would happen if you’d set up an attack that uses the infinite attack amplification vulnerability between two censorship regimes. Basically, have the Great Chinese firewall DDoS the Iranian censorship system. You could probably do some serious damage by saturating the links between the two countries!

Meanwhile, u/Semi-Hemi-Demigod/ is one eighth of a deity:

I guess John Gilmore was right when he said “The Internet considers censorship damage.”

And Finally:

The USENIX paper presentation

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Chastagner Thierry (via Unsplash)

Featured eBook
The State of Cloud Native Security 2020

The State of Cloud Native Security 2020

The first annual State of Cloud Native Security report examines the practices, tools and technologies innovative companies are using to manage cloud environments and drive cloud native development. Based on a survey of 3,000 cloud architecture, InfoSec and DevOps professionals across five countries, the report surfaces insights from a proprietary set of well-analyzed data. This ... Read More
Palo Alto Networks

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 274 posts and counting.See all posts by richi