Akamai warns of new type of more aggressive DDoS attack

Sheila Zabeu -

March 17, 2022

A new distributed denial of service (DDoS) attack vector with a potential record amplification rate of nearly 4.3 billion times has been used by attackers to launch several high-impact offensives. The higher the amplification rate, the easier it is to overwhelm systems using fewer packets.

According to Akamai researchers, the attacks were observed in mid-February 2022 and targeted broadband internet access providers, financial institutions, logistics, gaming companies, and organizations in other industries.

After a thorough analysis, it was found that the equipment used to launch the attacks were MiCollab and MiVoice Business Express systems produced by Mitel, which have VoIP processing boards and supporting software and whose main function is to provide voice connection to Internet-based PBX systems. Mitel is working with affected customers to correct the issue that gave public access to the systems’ test facilities.

According to Akamai, although network traffic spikes associated with the vulnerable service were observed on January 8 and February 7, the first real attacks exploiting the vulnerability are believed to have occurred on February 18. Some 2,600 Mitel devices that act as PBX gateways to the Internet were incorrectly deployed with a test feature susceptible to the attacks.

This attack vector differs from most other methodologies by using a test facility to launch sustained DDoS attacks for up to 14 hours in duration and relying on a single attack initiation packet, resulting in a record amplification rate of 4,294,967,296-to-1. A controlled test of this vector yielded more than 400 Mpps of sustained DDoS attack traffic.

In addition, this single attack initiation packet can impede traceability by network operators, helping to mask the attack’s traffic-generating infrastructure and making it less likely that the origin of the attack will be discovered. Most other reflected and amplification DDoS vectors, on the other hand, require the attacker to continuously transmit malicious traffic loads to susceptible nodes for as long as they wish to sustain the attack.

The side effects of this new type of attack on Mitel MiCollab and MiVoice Business Express systems exposed to the Internet is the partial or total interruption of voice communication as well as other services due to excessive consumption of traffic capacity, exhaustion of network address translation tables, and firewalls.

More attacks

In recent weeks, researchers at Akamai also began observing DDoS attack campaigns against customers that included SYN techniques and high traffic volumes of up to 11 Gbps with 1.5 million packets per second. SYN is a form of denial of service attack in which an attacker quickly initiates a connection and does not terminate it, consuming server resources unnecessarily.

Upon examining the packets used in the attack, Akamai noticed that they used a technique known as TCP Middlebox Reflection, first disclosed as an entirely new attack vector in August 2021 in a paper authored by researchers at the University of Maryland and the University of Colorado Boulder.

Middlebox is a device on the network that sits in the path between two communicating hosts and can monitor, filter, or transform packets in transit. Unlike traditional network devices such as routers and switches, middleboxes focus not only on packet headers but also on packet content. Middleboxes are commonly used by countries to enforce censorship laws or by corporate content filtering policies.

Reflection attacks, on the other hand, send the recipient a flood of packets spoofing the source IP address with the victim’s address instead. This will make the recipient believe it has received the victim’s packet and will send it a reply, reflecting the effects of the attack and amplifying the damage.

In the case of the TCP Middlebox Reflection method, the specific target of reflective attacks is middleboxes. Researchers have shown that malicious agents can trigger a middlebox using the victim’s IP address when requesting a web page that is known to be filtered. The middlebox will then send a message with that same response page to the victim.

In one of the examples cited by Akamai of this type of amplification attack, a single SYN packet with a payload of 33 bytes triggered a response of 2,156 bytes, an amplification factor of 65 times. Another case showed that a single request from an attacker generated, for an unknown reason, an infinite loop, as the middlebox sent the response to its own address.

The researchers found that there are hundreds of thousands of poorly configured and therefore vulnerable middlebox systems around the world that can be exploited to perform TCP Middlebox Reflection attacks. This type of attack dangerously lowers the hurdles for DDoS onslaughts, as it takes only 1/75th of the bandwidth to cause the same damage in some cases, according to Akamai. “We found several errors in the configuration of middleboxes that can lead to technically infinite amplification of attacks. By sending a single packet, it is possible to initiate an infinite stream of packets against the victim,” the paper says.

Recommended actions

According to Akamai, TP-240 reflection/amplification DDoS attacks are sourced from UDP/10074 and are destined for the UDP port of the attacker’s choice. This amplified attack traffic can be detected, classified, traced back, and safely mitigated using standard DDoS defense tools and techniques.

Flow telemetry and packet capture via open-source and commercial analysis systems can alert network operators and end customers of TP-240 reflection/amplification attacks.

Network access control lists (ACLs), flowspec, destination-based remotely triggered blackhole, source-based remotely triggered blackhole and intelligent DDoS mitigation systems can be used to mitigate these attacks.

Network operators should perform reconnaissance to identify and facilitate remediation of abusable TP-240 reflectors/amplifiers on their networks and/or the networks of their customers. Operators of Mitel MiCollab and MiVoice Business Express collaboration systems should proactively contact Mitel to receive specific remediation instructions from the vendor.

It is imperative that organizations operating mission-critical public-facing internet properties and/or infrastructure ensure that all servers/services/application/datastores/infrastructure elements are protected against DDoS attacks, and are included in periodic, realistic tests of the organization’s DDoS mitigation plan. Critical ancillary supporting services such as authoritative and recursive DNS servers must be included in this plan.

Network operators should implement ingress and egress source address validation in order to prevent attackers from initiating reflection/amplification DDoS attacks.

Users of internet-exposed TP-240–based Mitel MiCollab and MiVoice Business Express collaboration systems can prevent abuse of their systems to launch DDoS attacks by blocking incoming internet traffic destined for UDP/10074 via ACLs, firewall rules, and other standard network access control policy enforcement mechanisms.

Mitel has provided patched software versions that prevent TP-240–equipped MiCollab and MiVoice Business Express collaboration systems from being abused as DDoS reflectors/amplifiers by preventing exposure of the service to the internet. Mitel customers should contact the vendor for remediation instructions.

Collateral impact to abusable TP-240 reflectors/amplifiers can alert network operators and/or end customers to remove affected systems from “demilitarized zone” networks or internet data centers or to disable relevant UDP port–forwarding rules that allow specific UDP/10074 traffic sourced from the public internet to reach these devices, thereby preventing them from being abused to launch reflection/amplification DDoS attacks.

The amplified attack traffic is not fragmented, so there is no additional attack component consisting of noninitial fragments, as is the case with many other UDP reflection/amplification DDoS vectors.

Implementation of ingress and egress source-address validation (SAV; also known as anti-spoofing) can prevent attackers from launching reflection/amplification DDoS attacks.

Unfortunately, many abusable services that should not be exposed to the public internet are nevertheless left open for attackers to exploit. This scenario is yet another example of real-world deployments that do not adhere to vendor guidance. Vendors can prevent this situation by adopting “safe by default” postures on devices before shipping.

Reflection/amplification DDoS attacks would be impossible to launch if all network operators implemented ingress and egress SAV (or anti-spoofing). The ability to spoof the IP address(es) of the intended attack target(s) is required to launch such attacks. Service providers must continue to implement SAV in their own networks and require that their downstream customers do so as well.

As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, TP-240 reflection/amplification has been weaponized and added to the arsenals of so-called “booter/stresser” DDoS-for-hire services, placing it within the reach of the general attacker population.

Collaboration across the operational, research, and vendor communities is central to the continued viability of the internet. The quick response to and ongoing remediation of this high-impact DDoS attack vector has only been possible as a result of such collaboration. Organizations with a vested interest in the stability and resiliency of the internet should embrace and support cross-industry cooperative efforts as a core principle.

The combined efforts of the research and mitigation task force demonstrate that successful collaboration across industry peers to quickly remediate threats to availability and resiliency is not only possible but is also increasingly critical for the continued viability of the global internet.