What is it?
This vulnerability is (sort of) mis-named; it might be more accurately called “TCP Middlebox Reflection Vulnerability.” Although the vulnerability was detected on the HTTP Port (80), these attacks can occur on any port.
A “middlebox” is any device that manipulates network traffic; examples include Network Address Translators (NAT) and load balancers (among others).
The key feature of these devices is that they modify the payload of the requests they receive.
Why is it a risk?
Because these devices change the payload of requests they receive, they can be leveraged to attack a third party.
As a (overly) simple example, a request can be crafted that will be rejected by the middlebox. The attacker spoofs the address they are sending from and sends the request; the error message is sent to the victim. If the error message is significantly larger than the original request, then the attacker can overwhelm the victim. This is called a Denial of Service (DOS) attack. These attacks usually involve a number of innocent participants, creating a Distributed Denial of Service (DDOS) attack.
Your device at this IP address has been identified as vulnerable to becoming one of these innocent participants.
The greatest risk of this vulnerability is that it is very easy to use.
This vulnerability is not sophisticated, but it is relatively new. It is well documented in the USENIX presentation (August 2021) linked below – Weaponizing Middleboxes for TCP Reflected Amplification. An executive summary is provided in the Akamai Blog page linked below – TCP Middlebox Reflection: Coming to a DDoS Near You.
How can you mitigate the risk?
The USENIX article linked below states: “Unfortunately,
this means there is no single vendor or network that can be
patched to correct the problem. Instead, this issue is systemic
to middleboxes…”
The first step should be to identify your middleboxes and only allow (using Firewall rules) absolutely necessary traffic to/from those Servers.
The most straight-forward method of mitigating this risk is to create an Access Control List (ACL) on your device that limits the incoming IP addresses.
Although simple, this is not always possible.
The next thing to check is that all of your Server responses (including all error responses) use HTTPS/TLS.
These actions will substantially reduce the risk that your Server will be unwittingly used in a DDOS attack.
Manufacturers of “middlebox” devices usually provide instructions and advice for securing their equipment – follow their (most recent) advice.
Resources:
USENIX 2021: Weaponizing Middleboxes for TCP Reflected Amplification
https://geneva.cs.umd.edu/papers/usenix-weaponizing-ddos.pdf
Akamai Blog: TCP Middlebox Reflection: Coming to a DDoS Near You
https://www.akamai.com/blog/security/tcp-middlebox-reflection
