Throughout 2019, Radware’s Threat Research Center (TRC) and Emergency Response Team (ERT) have been monitoring and defending against an increasing number of TCP reflection attacks.
Read the Complete Alert
Abstract
Throughout 2019, Radware’s Threat Research Center (TRC) and Emergency Response Team (ERT) have been monitoring and defending against an increasing number of TCP reflection attacks.
TCP reflection attacks, such as SYN-ACK refection attacks, have been less popular among attackers until recently. The lack of popularity was mainly due to the wrong assumption that TCP reflection attacks cannot generate enough amplification compared to UDP-based reflections. In general, TCP attacks are low bandwidth and less likely to saturate an internet link. Instead, TCP attacks are leveraged to generate high packet rates (increased volumes of Packets Per Second - PPS) that require large amounts of resources from network devices to process the traffic and cause outages.
Over the last two years, there has been a steady growth in attackers leveraging TCP reflection attacks. In a TCP SYN-ACK reflection attack, an attacker sends a spoofed SYN packet, with the original source IP replaced by the victim’s IP address, to a wide range of random or pre-selected reflection IP addresses. The services at the reflection addresses reply with a SYN-ACK packet to the victim of the spoofed attack. While your typical three-way handshake might assume for a single SYN-ACK packet to be delivered to the victim, when the victim does not respond with the last ACK packet the reflection service will continue to retransmit the SYN-ACK packet, resulting in amplification.
The amount of amplification depends on the number of SYN-ACK retransmits by the reflection service, which is typically governed by a configurable parameter. The default setting for Linux systems (net.ipv4.tcp_synack_retries kernel variable) is five while the documentation advises against settings higher than 255. Independent research [1] in the behavior of a multitude of systems and devices on the internet exposed more than 4.8 million devices vulnerable to an average amplification factor of 112x and thousands of hosts that could be abused for amplification up to a factor of almost 80,000x, respectively, reflect more than 5,000 packets within 60 seconds, causing a serious impact on a victim’s network.
While there are different motivations and objectives behind these attack campaigns, there is a noticeably higher rate of collateral damage among the reflectors compared to UDP amplification attack campaigns, as recently demonstrated during attacks in Turkey, Italy and South Korea. Not only do the targeted victims, who are often large and well protected corporations, have to deal with floods of TCP traffic, but randomly selected reflectors ranging from smaller businesses to homeowners, have to process the spoofed requests and potential legitimate replies from the target of the attack. Those that are not prepared for these kinds of spikes in traffic suffer from secondary outages, with SYN floods one of the perceived side-effects by the collateral victims.