Hell of a Handshake: Abusing TCP for Reflective Amplification DDoS Attacks

Marc Kührer, Thomas Hupperich, Christian Rossow, Thorsten Holz

8th USENIX Workshop on Offensive Technologies (WOOT), San Diego, CA, USA, August 2014


Nowadays, a common way for attackers to perform Distributed Denial-of-Service (DDoS) attacks is via so called amplification attacks. The basic idea is to send relatively small requests with spoofed source address to public hosts (e.g., NTP servers), which reflect significantly larger responses to the victim of the attack. Recent studies focused on UDP-based attacks and analyzed the attack surface in detail. First results also suggested that TCP-based protocols are in principle vulnerable to such attacks, despite the three-way-handshake mechanism.

In this paper, we continue this line of work and demonstrate that TCP protocols indeed can be abused in practice. More specifically, we show that the handshake itself often yields amplification, especially since a lot of devices on the Internet react in unforeseen ways during the connection establishment. To estimate the landscape of Internet devices vulnerable to TCP amplification attacks, we performed Internet-wide scans for common TCP-based protocols and identified thousands of amplifiers that allow an amplification of factor 50x and higher.


tags: Amplification DDoS, Device Fingerprinting, Internet-wide Scanning, Measurements, TCP