In the last 30 days, the researchers from cybersecurity firm Radware have seen a spike in criminal distributed denial-of-service (DDoS) campaigns carrying out TCP reflection DDoS attacks against corporations. The researchers observed several such campaigns targeting Amazon, IBM subsidiary SoftLayer, Eurobet Italia SRL, Korea Telecom, HZ Hosting and SK Broadband.
A TCP SYN-ACK reflection attack scenario involves an attacker sending a spoofed SYN packet, with the original source IP replaced by the victim’s IP address, to a wide range of random or pre-selected reflection IP addresses.
“The services at the reflection addresses reply with a SYN-ACK packet to the victim of the spoofed attack. While your typical three-way handshake might assume for a single SYN-ACK packet to be delivered to the victim, when the victim does not respond with the last ACK packet the reflection service will continue to retransmit the SYN-ACK packet, resulting in amplification”, according to Radware.
An increase in DDoS activity has been spotted in October when a major DDoS attack crippled the network of the Italian branch of the online sports gambling website Eurobet. The attack lasted for several days and also affected other betting networks. Then later that month, amid a flurry of DDoS attacks targeting companies in nearly every vertical around the world, Radware has detected another large-scale multi-vector campaign targeting the financial and telecommunication industry in Turkey, which showed similarities to previous campaigns. This particular attack was noticed due to the reflective nature of one of the attack vectors.
“In a period of 24 hours, millions of TCP-SYN packets from nearly 7,000 distinct source IP addresses part of AS12903 (Garanti Bilisim Teknolojisi ve Ticaret TR.A.S.) were sensed globally and specifically targeting ports 22, 25, 53, 80 and 443.”
“Over the last 30 days, Radware has observed a number of criminal campaigns that have been abusing the TCP implementation by performing TCP reflection attacks against large corporations. The attacks not only impacted the targeted networks, but also disrupted reflection networks across the world, creating a fallout of suspected SYN-flood attacks by many businesses,” the researchers said.
According to the firm, the campaign began in 2018 and targeted both large and well-resourced corporations and smaller businesses and homeowners. As the researchers pointed out, organizations not prepared for the spikes in TCP traffic suffer from secondary outages, “with SYN floods one of the perceived side-effects by the collateral victims.”
In the more recent TCP reflection attacks, the attackers leveraged a large majority of the internet IPv4 address space as reflector, with a spoofed source originating from either bots or servers hosted on subnets or providers that do not implement BCP 38 to prevent IP source address spoofing on their servers or networks.