Content filtering devices are used to increase DDoS attacks by 65 times


Cybersecurity researchers have identified an alarming new trend in DDoS attacks targeting packet inspection and content filtering devices to achieve huge gain levels of 6533%. With this level of reinforcement, cybercriminals can launch catastrophic attacks with limited bandwidth/hardware.

According to security researchers from Akamai, a new method of conducting DDoS attacks is called TCP Middlebox Reflection. It became known for the first time in August 2021.

Middlebox (“intermediate block”) is a network device that performs packet inspection or content filtering by monitoring, filtering and converting packet streams exchanged between two Internet devices. Intermediate blocks process not only packet headers, but also their contents, so they are used in deep packet inspection (DPI) systems.

The idea is to use vulnerable firewalls and systems for applying content filtering policies in intermediate devices by a specially created sequence of TCP packets.

According to Akamai analysts, a real SYN packet with a 33-byte payload caused a response of 2156 bytes, reaching a gain of 65 times.

With each reflection, a new gain step is added, so the response size can quickly get out of control, and these attacks can outperform even well-established UDP vectors in efficiency.

Akamai has documented TCP Middlebox Reflection attacks in real-world campaigns targeting banking services, travel companies, video games, media, and web hosting service providers.

As protective measures, Akamai offers:

  • Treat all SYN packets longer than 0 bytes as suspicious.

  • Implement SYN calls to sabotage the handshake and discard malicious data streams before they reach applications and servers.

  • Use a combination of anti-spoofing and emergency protection modules.

  • Add firewall ACLs (rules) to drop SYN packets longer than 100.

Start a discussion …