New DDoS Attack Technique Targets Vulnerable ‘Middleboxes’

Akamai has published new findings on a DDoS attack where abusers target vulnerable ‘middleboxes’ such as firewalls, by sending packets to a server that replies with a larger packet size, which is then forwarded to the attackers’ intended target. In the blogpost, Akamai stresses the concern of this new type of attack method:

“Middlebox DDoS amplification is an entirely new type of TCP reflection/amplification attack that is a risk to the internet. This is the first time we’ve observed this technique in the wild,” it says in a blogpost

Saryu Nayyar, CEO and Founder, Gurucul had this to say:

“While XDR has been discussed as the next step in detection, response and the prevention of a successful threat, the reality is that these solutions are too endpoint-centric and require agents on assets for any hope of determining an attack. While, the endpoint (EDR) solutions are a critical piece of telemetry, true visibility comes from being able to ingest, correlate and properly analyze all sorts of telemetry including endpoint and network security information, network traffic, netflow, (business) applications, and asset telemetry, both known and unknown or proprietary across the hybrid-cloud enterprise. This is a perfect example of where the right next generation SIEM, not traditional SIEM, can then take all of this telemetry, apply a wealth of analytics, behavioral science and machine learning models to identify this attack early and even provide automated response to limit the scope of the DDOS attack.” 

Since this is a new technique, it means that companies have to have their defences in order. Thus it would make sense for businesses to read this blog post and make their plans accordingly.

UPDATE: Dr. Saumitra Das, CTO and Co-Founder, Blue Hexagon:

“This is a very interesting attack that essentially and ironically exploits a feature that was intended for security to cause amplification and lead to DDoS. The middle boxes were supposed to redirect users away from blocked content, but that functionality is now being used to essentially turn them into bots for overwhelming a spoofed sender. Since these middle boxes are so widely deployed this can be a significant issue.”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: