DDoS hackers use new exploit with ‘record-breaking’ amplification

10 Mar 2022

Image: © Maksim Shmeljov/Stock.adobe.com

Researchers also detected a new vector for DDoS attacks that can send an ‘endless stream of packets’ to a victim through middleboxes.

Distributed denial-of-service (DDoS) attackers are using a new attack vector that provides a record-breaking amplification ratio of nearly 4.3bn to one, according to an Akamai report.

The cybersecurity company said it detected attacks using this method aimed at broadband access internet service providers, financial institutions, logistics companies and other organisations.

A DDoS attack is an attempt to make an online service unavailable by overwhelming it with high volumes of data from multiple sources. With a higher amplification ratio, it becomes easier for attackers to overwhelm systems and they could launch a high-impact DDoS attack using fewer packets.

Akamai said security researchers, network operators and security vendors noticed a spike in DDoS attacks stemming from a specific port last month.

“Upon further investigation, it was determined that the devices abused to launch these attacks are MiCollab and MiVoice Business Express collaboration systems produced by Mitel, which incorporate TP-240 VoIP-processing interface cards and supporting software,” Akamai said in its report on 8 March.

Akamai believes that around 2,600 exposed Mitel devices were “incorrectly provisioned” and vulnerable to these attacks.

“Attackers were actively leveraging these systems to launch reflection/amplification DDoS attacks of more than 53m packets per second,” Akamai said.

The company added that Mitel is aware of this issue and has released a software patch.

A new DDoS attack vector

In another recent report, Akamai said its researchers detected multiple DDoS attack campaigns on its customers that included high volumes of traffic of “up to 11Gbps at 1.5m packets per second”. After examining the packets, Akamai said these attackers are using a new technique called TCP Middlebox Reflection.

A middlebox is an in-network device that sits on the path between two communicating end hosts and can monitor, filter or transform packet streams.

These have various uses and are deployed by countries such as China and large organisations to censor content and block specific sites, Ars Technica reported.

The method of using middleboxes as a DDoS attack vector was investigated by researchers from the University of Maryland and the University of Colorado Boulder last August. Their research found that attackers can use this method to create “technically infinite amplification” from a single packet of data, leading to an “endless stream of packets” being sent to the victim.

The researchers said the these attacks can produce “orders of magnitude more amplification” than existing attacks based on user datagram protocols.

Akamai said in a report last week (1 March) there are hundreds of thousands of middlebox systems vulnerable to this technique around the globe. The company added that it has detected “multiple middlebox attack campaigns” targeting banking, travel, gaming, media and web-hosting industries.

“Although these attacks are relatively small as of right now, it does show that attackers are starting to pick up on the middlebox attack technique and beginning to leverage it as yet another tool in their DDoS arsenal,” Akamai said.

Evolving cyberattacks

Global cyber threats have been growing, with an increase in sophisticated, high-impact attacks aimed at critical infrastructure. This is according to cybersecurity authorities in the US, UK and Australia, which issued a joint advisory warning last month.

“Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organisations globally,” the agencies said in a joint statement.

There has also been a spike in cyberattack activity in recent weeks amid the invasion of Ukraine by Russia. Ukraine has been hit with a barrage of attacks including phishing schemes and DDoS attacks.

In a recent interview with SiliconRepublic.com, Noel O’Reilly, business products and solutions manager at Virgin Media Business, said continued uptake of ransomware and DDoS attacks are some of the biggest trends in the infosec space.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com