Weaponizing middleboxes

lwn.net
6 min read
fairly difficult
Middleboxes are, unfortunately in many ways, a big part of today's internet. While middleboxes inhabit the same physical niche as routers, they are not aimed at packet forwarding; instead they are meant to monitor and manipulate the packets that they see. The effects of those devices on users of the networks they reign over may be unfortunate as well, but the rest of the internet is only affected when trying to communicate with those users—or so it was thought. Based on some recently reported research, it turns out that middleboxes can be abused to inflict denial-of-service (DoS) attacks elsewhere on the net.
Weaponizing middleboxes [LWN subscriber-only content]

Welcome to LWN.net The following subscription-only content has been made available to you by an LWN subscriber. Thousands of subscribers depend on LWN for the best news from the Linux and free software communities. If you enjoy this article, please consider subscribing to LWN. Thank you for visiting LWN.net!

Middleboxes are, unfortunately in many ways, a big part of today's internet. While middleboxes inhabit the same physical niche as routers, they are not aimed at packet forwarding; instead they are meant to monitor and manipulate the packets that they see. The effects of those devices on users of the networks they reign over may be unfortunate as well, but the rest of the internet is only affected when trying to communicate with those users—or so it was thought. Based on some recently reported research, it turns out that middleboxes can be abused to inflict denial-of-service (DoS) attacks elsewhere on the net.

Though it lacks the catchy nickname and logo that have come to dominate security research reporting over the last few years, the "Weaponizing Middleboxes for TCP Reflected Amplification" web site describes a potent threat. The researchers, Kevin Bock, Abdulrahman Alaraj, Yair Fax, Kyle Hurley, Eric Wustrow, and Dave Levin, found flaws in the TCP/IP implementation of various middleboxes that allow DoS attacks via amplification. The middleboxes they studied are those deployed by government organizations for the purposes of censorship, but "even benign deployments of firewalls and intrusion prevention systems in non-censoring nation-states can be weaponized using the techniques we discovered".

It is important to note that the problems found are in the TCP/IP implementations of these middleboxes and not in the protocol itself. Those problems could be fixed, perhaps, but the researchers are skeptical that will happen:

Completely fixing this problem will require countries to invest money in changes that…
Read full article