- Arbor Networks - DDoS Experts
HTTP Reflection/Amplification via Abusable Internet Censorship Systems
ASERT Threat Summary
Date/Time: 20August2021 2100UTC
Distribution: TLP: WHITE
Contributors:Kevin Bock, Abdulrahman Alaraj, Yair Fax, Kyle Hurley, Eric Wustrow, Dave Levin, Chris Conrad, Jon Belanger, John Kristoff, Hardik Modi, Tom Bienkowski, Sharon Reynolds, Bill Cerveny.
In August 2021, a joint team of researchers uncovered a distributed denial-of-service (DDoS) attack vector which abuses middlebox systems for HTTP reflection/amplification. This attack vector leverages abusable censorship systems to significantly amplify DDoS attack traffic. Further, the routing loops used in networks where these systems reside can cause an infinite routing loop, producing as high as a 700,000:1 amplification factor. The resultant flood of traffic can be extremely detrimental to any network. This threat summary provides guidance and recommendations to minimize the impact of these threats.
- Researchers uncovered a new HTTP reflection/amplification vector that abuses censorship systems that are often deployed countrywide to eliminate unwanted traffic to undesirable websites.
- Routing loops that contain these abusable systems are configured such that they produce infinite routing loops causing as little as a 1:1 amplification factor, to as much as a 700,000:1 amplification factor.
- Tens of millions of these devices are exposed and vulnerable to abuse from adversaries, and approximately 18 million of these provide at least a 2:1 amplification factor. This results in one of the most prolific types of reflectors/amplifiers available to adversaries.
In August of 2021, a joint team of security researchers from the University of Maryland and the University of Colorado Boulder presented a research paper at the 30th USENIX Security Symposium. The paper detailed their discovery of a methodology for abusing large-scale internet censorship systems to generate HTTP reflection/amplification attacks with amplification ratios ranging from 1:1 to 700,000:1. They further discovered a population of what are essentially infinite repeating amplifiers caused by the placement of abusable censorship systems within the ambit of routing loops. Once stimulated to do so, these reflectors/amplifiers can produce continuous streams of packets directed towards the targeted IP address(es) until a packet drop or similar interruption of the looped traffic halts the amplification cycle.
Affected censorship systems can be abused to launch high-impact HTTP reflection/amplification attacks due to the following factors:
- A desire on the part of the designers of such systems to scale their performance and function in asymmetrical-routing scenarios by unwisely foregoing the requirement for a full TCP handshake prior to responding to requests for a URI on the censorship systems’ deny-lists.
- Configuring and deploying abusable systems such that they will intercept and respond to inbound spoofed, crafted attack initiator packets on their northbound interfaces, rather than intercepting and processing outbound traffic solely on their southbound interfaces.
- The siting of some abusable systems within the ambit of routing loops, thus converting them into what are effectively infinite repeating reflectors/amplifiers.
The internet censorship systems in question are misconfigured such that they will respond with relatively ‘heavy’ HTML block notification pages not only to requests for denied URIs received on their southbound interfaces (i.e., originated by the user population whose web browsing is to be censored), but also to requests arriving on their northbound (i.e., towards the general Internet, outside of their intended coverage cone) interfaces. These factors, combined with the above-mentioned lack of enforcement regarding TCP three-way handshakes, ensure that attackers can spoof the IP addresses of their targets, selecting both the source and destination ports of their choice, in order to launch high-pps/-bps HTTP reflection/amplification attacks.
These systems are operated at large scale by nation-states and by some broadband access ISPs, the latter in the form of paid ‘safe browsing’ subscription services offered to their customers. Many enterprises, governmental organizations, educational institutions, etc. operate such systems on a smaller scale. In many cases, they listen for incoming TCP packets across the entire 64K range of TCP source and destination ports.
These suboptimal design and implementation decisions allow spoofed requests for denied FQDNs and/or URIs to be synthesized by attackers in much the same way as other well-known reflection/amplification DDoS vectors, resulting in amplified HTTP responses being directed towards the intended target(s) of the attack.
Because attackers can select both the source and destination ports of the spoofed attack initiator traffic, they can dictate the source and destination TCP ports of the amplified attack traffic directed towards attack targets. Skilled attackers are likely to choose source and destination ports intended to allow the amplified attack traffic to conform to common network access control policies, thus masquerading the attack traffic so that at first glance, it appears to be legitimate in the context of targeted applications, services, and infrastructure.
As of this writing, attacks using this methodology have yet to be observed in the wild. Based upon observed amplification factors attained during testing, it appears that using this attack methodology to generate HTTP reflection/amplification attacks ranging from tens of gigabits/sec into the terabit/sec range may be feasible.
The researchers who discovered this attack methodology estimate that ~200 million IP addresses can potentially be abused to launch attacks of this nature, due to the wide coverage cones of abusable Internet censorship systems operated by nation-states, enterprises, governmental departments, educational institutions, etc. Approximately 18 million of these IP addresses provide an amplification ratio of 2:1 or greater; some abusable systems can provide amplification ratios of up to ~700,000:1. Others provide effectively infinite amplification due to their siting within the ambit of routing loops, which result in attack initiator packets being endlessly recirculated through the censorship systems, continuously stimulating the generation of amplified attack packets until a dropped packet or other intervening event interrupts the packet-recirculation cycle.
High-bandwidth and/or -throughput DDoS attacks can congest peering, transit, core, distribution, and access links, disrupting bystander Internet traffic along with legitimate traffic destined for the intended target. Shared networking, computing, storage, and ancillary supporting infrastructure can be negatively impacted. These factors can result in significant collateral damage footprints from high-volume attacks.
The collateral impact of HTTP reflection/amplification attacks can be significant for operators of abusable internet censorship systems leveraged to launch these attacks. Significant network traffic inspection performance degradation, along with bandwidth (bps) and throughput (pps) consumption, may occur. Analysis of log files and other forms of telemetry may be rendered infeasible due to large influxes of attack initiator traffic and effluxes of amplified attack traffic. Legitimate network traffic sourced from networks within the coverage cone of abused censorship systems can be negatively impacted under such circumstances.
Failure to remove or remediate Internet censorship systems that are abused to launch HTTP reflection/amplification DDoS attacks can lead to affected network operators filtering all network traffic originating from networks where such systems are deployed.
Unintentional overblocking of legitimate network traffic can occur when insufficiently granular mitigation methods are employed. Such overblocking must be evaluated in the light of actions necessary to bring about partial service recovery of targeted servers/applications/services/networks.
Collateral impact to abusable Internet censorship systems can motivate network operators and/or end-customers to remove or remediate affected systems.
HTTP reflection/amplification DDoS attack traffic can be mitigated via the implementation of industry-standard best current practices (BCPs) such as situationally-appropriate network access control policies, network infrastructure-based reaction mechanisms such as flowspec, and intelligent DDoS mitigation systems (IDMSes) such as NETSCOUT Arbor Sightline/TMS and AED/APS. In the context of this specific attack vector, the use of IDMSes such as Sightline TMS or AED/APS is preferred in order to allow for more granular attack traffic mitigation.
Network operators should perform reconnaissance to identify and remove or remediate abusable Internet censorship systems deployed on their networks and/or the networks of their customers. The security researchers who discovered this attack methodology have published a bespoke fork of the ZMap scanning software, along with an accompanying module, which can be used to identify abusable systems.
Organizations with business-critical public-facing internet properties should implement all relevant network infrastructure, architectural, and operational Best Current Practices (BCPs), including situationally specific network access policies that only permit internet traffic via required IP protocols and ports. Deconflation of internet traffic associated with internet servers/services/applications from internet traffic generated by users on access networks is strongly recommended. Likewise, traffic originated by internet-facing servers that is unrelated to serving incoming requests (DNS lookups, outbound file transfers, etc.) should be sourced from separate interfaces and IP addresses from those used to service incoming application-/service-related traffic.
Implement situationally appropriate DDoS defenses for all public-facing internet properties and supporting infrastructure, including regular testing to ensure that any changes to organization’s servers, services, and applications are incorporated into the DDoS defense plan. Combine organic, on-site intelligent DDoS mitigation capabilities with cloud- or transit-based upstream DDoS mitigation services to ensure maximal responsiveness and flexibility during an attack.
It is imperative that organizations operating mission-critical public-facing Internet properties and/or infrastructure ensure that all servers, services, application, datastores, and infrastructure elements are protected against DDoS attack and included in periodic, realistic tests of the organization’s DDoS mitigation plan. In many instances, we have encountered situations in which obvious elements such as public-facing web servers were adequately protected, but authoritative DNS servers, application servers, and other critical service delivery elements were neglected, thus leaving them vulnerable to attack.
If deemed necessary, flowspec can potentially be used in some circumstances to mitigate HTTP reflection/amplification attacks, but it is important to ensure that reaction access-control list (ACL) stanzas are configured in such a way to minimize the risk of overblocking. In the context of this specific attack vector, the use of IDMSes such as Sightline TMS or AED/APS is preferred in order to allow for more granular attack traffic mitigation.
Specifics of countermeasure selection, tuning, and deployment will vary based upon the particulars of individual networks/resources; the relevant NETSCOUT Arbor account teams and/or ATAC may be consulted with regards to optimal countermeasure selection and employment
ASERT Threat Summary: HTTP Reflection/Amplification via Abusable Internet Censorship Systems, Mitigation Recommendations - v1.0
- Arbor Networks - DDoS Experts
- Attacks and DDoS Attacks