Experts warn of spike in TCP DDoS reflection attacks targeting Amazon, SoftLayer and telco infrastructure

Researchers from Radware reported that massive TCP SYN-ACK DDoS reflection attacks hit Amazon, SoftLayer and telecom infrastructure in the last month.

Researchers from Radware are warning of a wave of TCP SYN-ACK DDoS reflection attacks that in the last 30 days hit Amazon, SoftLayer and telecom infrastructure.

“Over the last 30 days, Radware has observed a number of criminal campaigns that have been abusing the TCP implementation by performing TCP reflection attacks against large corporations.” reads the analysis published by Radware. “The attacks not only impacted the targeted networks, but also disrupted reflection networks across the world, creating a fallout of suspected SYN-flood attacks by many businesses.”

In a TCP SYN-ACK reflection attack, the attacker sends a spoofed SYN packet to a wide range of random or pre-selected reflection IP addresses. The spoofed packers have the original source IP replaced by the target’s IP address, The systems at the reflection IP addresses reply with a SYN-ACK packet to the target, but while your typical three-way handshake might assume for a single SYN-ACK packet to be delivered to the victim, when the victim does not respond with the last ACK packet the reflection service will continue to retransmit the SYN-ACK packet. This mechanism allows the amplification of the DDoS attack.

The amplification factors depends on the number of SYN-ACK retransmits by the service running at the reflection IP address. An independent research found more than 4.8 million devices vulnerable to an average amplification factor of 112x and thousands of hosts that could be abused for amplification up to a factor of almost 80,000x, an amazing firepower for attackers.

Experts observed several campaign carrying out TCP reflection DDoS attacks against many corporations, including Amazon, SoftLayer, Eurobet Italia SRL, Korea Telecom, HZ Hosting and SK Broadband.

The new wave of major attacks begun in October when a major DDoS attack crippled the network of the Italian branch of the online sports gambling website Eurobet. The attack lasted for several days and also affected other betting networks.

At the end of October, Radware observed other criminal campaigns mounting TCP reflection DDoS attacks against the financial and telecommunication industries in Italy, South Korea and Turkey.

“This attack was noticed by the security community due to the reflective nature of one of the attack vectors,” continues the analysis. “In a period of 24 hours, millions of TCP-SYN packets from nearly 7,000 distinct source IP addresses part of [the infrastructure of Turkish provider] Garanti Bilisim Teknolojisi ve Ticaret TR.A.S. were sensed globally and specifically targeting ports 22, 25, 53, 80 and 443.”

According to the experts, the campaign began in 2018 and targeted both large and well-resourced corporations and smaller businesses and homeowners. Experts pointed out that organizations not prepared for the spikes in TCP traffic suffer from secondary outages, “with SYN floods one of the perceived side-effects by the collateral victims.”

Most of the reflection IP addresses involved in the recent wave of TCP reflection attacks belong to internet IPv4 address space.

“This means the recent attackers, illustrated in Figure 13, used a rapid rate of falsified SYN packets to a wide range of the IPv4 address space with a spoofed source originating from either bots or servers hosted on subnets and by providers that do not implement BCP 38 to prevent IP source address spoofing on their servers or networks.” concludes the analysis. “The spoofed source in these attacks were the entire network ranges of the intended targets which resulted in the targeted reflectors retransmitting SYN-ACK packets in a carpet bombing attack as long as RST packets were not received.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – TCP DDoS reflection attacks, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]