Researchers from Radware are warning of a wave of TCP SYN-ACK DDoS reflection attacks that in the last 30 days hit Amazon, SoftLayer and telecom infrastructure.
“Over the last 30 days, Radware has observed a number of criminal campaigns that have been abusing the TCP implementation by performing TCP reflection attacks against large corporations.” reads the analysis published by Radware. “The attacks not only impacted the targeted networks, but also disrupted reflection networks across the world, creating a fallout of suspected SYN-flood attacks by many businesses.”
In a TCP SYN-ACK reflection attack, the attacker sends a spoofed SYN packet to a wide range of random or pre-selected reflection IP addresses. The spoofed
The amplification factors
Experts observed several campaign carrying out TCP reflection DDoS attacks against many corporations, including Amazon, SoftLayer, Eurobet Italia SRL, Korea Telecom, HZ Hosting and SK Broadband.
The new wave of major attacks begun in October when a major DDoS attack crippled the network of the Italian branch of the online sports gambling website Eurobet. The attack lasted for several days and also affected other betting networks.
At the end of October, Radware observed other criminal campaigns mounting TCP reflection DDoS attacks against the financial and telecommunication industries in Italy, South Korea and Turkey.
“This attack was noticed by the security community due to the reflective nature of one of the attack vectors,” continues the analysis. “In a period of 24 hours, millions of TCP-SYN packets from nearly 7,000 distinct source IP addresses part of [the infrastructure of Turkish provider] Garanti Bilisim Teknolojisi ve Ticaret TR.A.S.
According to the experts, the campaign began in 2018 and targeted both large and well-resourced corporations and smaller businesses and homeowners. Experts pointed out that organizations not prepared for the spikes in TCP traffic suffer from secondary outages, “with SYN floods one of the perceived side-effects
Most of the reflection IP addresses involved in the recent wave of TCP reflection attacks belong to internet IPv4 address space.
“This means the recent attackers, illustrated in Figure 13, used a rapid rate of falsified SYN packets to a wide range of the IPv4 address space with a spoofed source originating from either bots or servers hosted on subnets and by providers that do not implement BCP 38 to prevent IP source address spoofing on their servers or networks.” concludes the analysis. “The spoofed source
(SecurityAffairs – TCP DDoS reflection attacks, cybercrime)