The last 30 days has seen a renewed increase in distributed denial-of-service (DDoS) activity, according to researchers, who said that they have observed a number of criminal campaigns mounting TCP reflection DDoS attacks against corporations.
Researchers at Radware said that the list of victims include a number of large companies, including Amazon, IBM subsidiary SoftLayer, Eurobet Italia SRL, Korea Telecom, HZ Hosting and SK Broadband.
The first major event in October took the Eurobet network down. Eurobet, an online sports gambling website, suffered a campaign that persisted for days and impacted several other betting networks, according to Radware.
Then, later in October, amid a flurry of DDoS attacks targeting companies in nearly every vertical around the world, the firm identified another large-scale multi-vector campaign surfaced that targeting the financial and telecommunication industry in Italy, South Korea and Turkey.
“This attack was noticed by the security community due to the reflective nature of one of the attack vectors,” the researchers noted. “In a period of 24 hours, millions of TCP-SYN packets from nearly 7,000 distinct source IP addresses part of [the infrastructure of Turkish provider] Garanti Bilisim Teknolojisi ve Ticaret TR.A.S. were sensed globally and specifically targeting ports 22, 25, 53, 80 and 443.”
The activity is a continuation of an uptick in attackers leveraging TCP reflection attacks that began in 2018, according to the firm. These tend to be low bandwidth, but they generate high packet rates (increased volumes of packets per second) that require large amounts of resources from network devices to process the traffic and cause outages. That’s why large corporate and telecom networks are often targets, Radware researchers explained.
The specific type of TCP attack used in the recent spate of DDoS efforts were TCP SYN-ACK reflection attacks. In this scenario, an attacker sends a spoofed SYN packet, with the original source IP replaced by the victim’s IP address, to a range of random or pre-selected reflection IP addresses. The services at the reflection addresses reply with a SYN-ACK packet to the victim of the spoofed attack. If the victim does not respond, the reflection service will continue to retransmit the SYN-ACK packet, resulting in amplification. The amount of amplification depends on the number of SYN-ACK retransmits by the reflection service, which can be defined by the attacker.
Most of the targeted networks did not respond properly to the spoofed requests, which would have disabled the TCP retransmit amplification, according to the analysis.
The impact range of these kinds of campaigns is significant, according to Radware, degrading service at the targeted networks as well as reflection networks across the world.
“Not only do the targeted victims, who are often large and well-protected corporations, have to deal with floods of TCP traffic, but randomly selected reflectors, ranging from smaller businesses to homeowners, have to process the spoofed requests and potential legitimate replies from the target of the attack,” researchers wrote in a recent post. “Those that are not prepared for these kinds of spikes in traffic suffer from secondary outages, with SYN floods one of the perceived side-effects by the collateral victims.”
In the more recent TCP reflection attacks, the firm’s forensics showed that the attackers leveraged a large majority of the internet IPv4 address space as reflector, with a spoofed source originating from either bots or servers hosted on subnets and by without IP source address verification.