Understanding the Threat of TCP Amplification in DDoS Attacks

Distributed Denial of Service (DDoS) attacks are a particularly annoying type of attack since they can cause damage to a target system without the victim having done anything “wrong”. Unlike many types of cyberattacks, which can be traced back to the failure to apply a patch for a known vulnerability or human employees falling for a phishing attack, the only things that a DDoS victim do to make them vulnerable to attack are having a web presence and failing to deploy a DDoS protection solution.

DDoS attackers are constantly working to evolve their attacks to slip past the protections that organizations deploy on their networks. A recent development in DDoS attacks is the use of TCP reflection attacks as a DDoS amplifier.

DDoS and Amplifiers

A DDoS is a relatively unsophisticated method of taking down a program or service. The attacker identifies a bottleneck in the system’s processing and performs enough requests or actions that the capacity of that bottleneck is exceeded. The end result is that the system is so busy dealing with malicious requests that it has no bandwidth for responding to legitimate ones, rendering it inaccessible for legitimate users.

The most common bottleneck that DDoS attackers try to exploit is the system’s ability to receive and respond to connections over the network. A system’s networking capacity is limited in a number of different ways, including the bandwidth of its Internet connection, the maximum number of concurrent connections that a system can maintain, and the amount of data that the system can process.

This capacity boils down to the amount of data that the system can process per second, meaning that an attacker can either use packet size or packet quantity to push the target system over the edge. Achieving a high quantity of attack packets is easy with DDoS botnets. The advent of cloud computing and the introduction of a massive number of insecure Internet of Things (IoT) devices onto the Internet makes generating large volumes of malicious packets easy.

To achieve high packet sizes, DDoS attackers commonly use DDoS amplifiers. These amplifiers are services where the attacker can send a request to the service while spoofing their IP address to that of their target. Since the attack is legitimate, the service responds, sending a larger response to the target system. The use of DDoS amplifiers allows attackers to generate DDoS attack traffic volumes far in excess of what the systems under their control can produce.

Abusing TCP for Amplification

A variety of different DDoS amplifiers exist with a range of different amplification factors. Recently, DDoS attackers have been observed using a new type of amplification attack that takes advantage of how TCP, an underlying protocol of the Internet, works. TCP is the protocol that many types of Internet traffic, like web traffic, use “under the hood”. It’s designed to provide high reliability and other guarantees to the service using it.

Part of providing these guarantees requires a computer initiating a TCP session to set up a connection with the intended recipient. This requires completing the TCP handshake, which begins with a synchronization (SYN) packet indicating a desire to connect. The recipient sends a SYN/ACK packet that acknowledges the attempt to connect and tries to synchronize as well, and finally the original sender then sends a packet acknowledging (ACK) this. At this point, the connection is established.

In TCP reflection attacks, a DDoS attacker sends a TCP SYN packet to a variety of different systems while spoofing its IP address to that of the victim. All of the recipients will reply with an SYN/ACK packet, which the victim will receive but not send an ACK packet. However, the SYN recipients will keep trying and can be manipulated into sending over 5,000 SYN/ACK packets per minute. This amplifies the attacker’s traffic volume by 80,000x.

However, the impacts of the TCP reflection DDoS attacks are not limited to overwhelming the target’s network capacity. Performing a SYN flood (i.e. sending SYN packets to a bunch of different IP addresses) is considered malicious behavior, and the attacker has done so while pretending to be the victim. In many cases, the victim was blacklisted by network operators, which only exacerbates the impact of the DDoS attack.

Protecting Against DDoS

Using TCP reflection for a DDoS amplification attack is not a new idea. However, it was previously believed that the most systems would only attempt a maximum of five retransmissions. The discovery that many systems would actually perform thousands of retransmissions per second was crucial to the success of using TCP reflection as an effective DDoS amplifier.

The impacts of this attack are significant. The intended target of the attack is sent an overwhelming amount of attack traffic and may be blacklisted by network operators; however, they are not the only victim. The systems used as TCP reflectors also experience a lower-level DDoS attack due to them sending thousands of retransmissions of their SYN/ACK packet to the target system. Defending against this type of DDoS attack requires effort by both the victims and the systems used as TCP reflectors. Since the attack traffic does not look like legitimate traffic, deploying a DDoS protection system can be effective for protecting against it. However, the attack can have wide-reaching impacts beyond the intended target. Systems that can be used as DDoS reflectors should be configured to block inbound SYN packets (unless they are a webserver or similar public-facing system) and to limit their number of SYN/ACK retransmissions.

Comments are closed.