This is the code repository for the USENIX Security 2021 paper, "Weaponizing Middleboxes for TCP Reflected Amplification".

Overview

weaponizing-censors badge

Censors pose a threat to the entire Internet. In this work, we show that censoring middleboxes and firewalls can be weaponized by attackers to launch unprecedented reflected denial of service attacks. We find hundreds of thousands of IP addresses that offer amplification factors greater than 100× and IP addresses that technically offer infinite amplification.

This is the code repository for the USENIX Security 2021 paper, "Weaponizing Middleboxes for TCP Reflected Amplification".

This repository contains submodules for our two forks of ZMap, a submodule to the main Geneva repository containing the plugin used to identify the amplifying sequences, and processing scripts for analyzing scan results.

Amplification attacks are not the only way that censors pose a threat to those living outside their borders. See our concurrent work from WOOT 2021 on weaponizing censors for availability attacks and its repository.

📝 Abstract

Reflective amplification attacks are a powerful tool in the arsenal of a DDoS attacker, but to date have almost exclusively targeted UDP-based protocols. In this paper, we demonstrate that non-trivial TCP-based amplification is possible and can be orders of magnitude more effective than well-known UDP-based amplification. By taking advantage of TCP-non-compliance in network middleboxes, we show that attackers can induce middleboxes to respond and amplify network traffic. With the novel application of a recent genetic algorithm, we discover and maximize the efficacy of new TCP-based reflective amplification attacks, and present several packet sequences that cause network middleboxes to respond with substantially more packets than we send.

We scanned the entire IPv4 Internet to measure how many IP addresses permit reflected amplification. We find hundreds of thousands of IP addresses that offer amplification factors greater than 100×. Through our Internet-wide measurements, we explore several open questions regarding DoS attacks, including the root cause of so-called "mega amplifiers". We also report on network phenomena that causes some of the TCP-based attacks to be so effective as to technically have infinite amplification factor (after the attacker sends a constant number of bytes, the reflector generates traffic indefinitely).

🕵️‍♀️ Finding Amplifiers: ZMap Forks

We scanned the entire IPv4 Internet dozens of times to find IP addresses with middleboxes on their path that could be weaponized. To find these, we created two custom forks of the open-source scanning tool ZMap. ZMap is a fast single packet network scanner designed for Internet-wide network surveys. We modified ZMap first to add a new probe module (the forbidden_scan module defined in src/probe_modules/module_forbidden_scan.c), and then created a second fork to add the ability to craft two distinct packets for each probe (this enables us to send a custom SYN packet, followed by a second custom packet containing a well-formed HTTP GET request).

The submodule zmap in this repository is for single packet scans (the SYN, PSH, or PSH+ACK scans from our paper) and zmap_multiple_probes (for the SYN; PSH or SYN; PSH+ACK scans from our paper).

The module has multiple options compiled in, including the Host: header included in the payload. To change any of the following options, edit the module_forbidden_scan.c file located in src/probe_modules and recompile ZMap to use.

🏃 Running ZMap

Example on how to build zmap and run the forbidden_scan module to scan a single IP address and record the responses received:

$ IP=
$ cmake . && make -j4  && sudo src/zmap -M forbidden_scan -p 80 $IP/32 -f "saddr,len,payloadlen,flags,validation_type" -o scan.csv -O csv 

The output of the scan is a csv file called scan.csv. For each packet that ZMap identified as a response to our scan, the output file will contain the src IP address, the IP length of the packet, the length of the payload itself, the TCP flags, and the validation_type (the reason the probe treated the incoming packet as a response to a probe).

This module can be used to test firewalls or other middleboxes to see if they are vulnerable to this attack.

Also in this repsitory is a helper script scan_all.py, which can be used to automate multiple ZMap scans with different scanning parameters.

🔬 Processing Scan Results

Included in this repository are two helper scripts to process the results of a ZMap scan. The main processing script is stats.py, which will consume the output of ZMap and generate graphs and summary statistics about the scan. See the below example of the stats.py script processing a scan.csv file (note the IP addresses have been anonymized).

# python3 stats.py scan.csv 149
Processing scan data assuming attacker sent 149 bytes per IP.
Initializing analysis of scan.csv
Calculating total length of file to analyze:
949099449 total packets to analyze.
  - Unique responding IPs: 362138621
  - Number of amplifying IP addresses: 218015761
  - Total number of bytes sent by amplifying IP addresses: 45695690843
  - Average amplification rate from amplifying IP addresses: 1.407000
  - Highest total data received by IP:
        7632101 96.96.96.96 141334
        9788625 97.97.97.97 181270
        44365380 98.98.98.98 142200
        238162104 99.99.99.99 1011556
  - Highest total packets received by IP:
        7360299 1.1.1.1 136301
        8040711 2.2.2.2 148901
        8186133 3.3.3.3 151594
        238162104 4.4.4.4 1011556
  - Flags on packets sent by responders:
    + 472: S
    + 119609984: R
    + 680892582: RA
    + 12: FSPA
    + 1: SPUE
    + 2: PAU
    + 1: SUEC
    + 1: FAU
    + 1: PAUE
    + 1: SRPAUEC
    + 7217: FRPA
    + 4734607: FA
    + 5540525: RPA
    + 3687478: PA
    + 58615499: SA
    + 11928812: FPA
    ...
  - CDF of number of packets sent: scan_packets_cdf.eps
  - CDF of bytes sent: scan_bytes_cdf.eps
  - CDF of amplification rate: scan_amplification_cdf.eps

📃 License

This repository is licensed under BSD 3-Clause license. Please note that this repository contains multiple submodule pointers to other repositories, each of which contains its own license. Please consult each for license information.

📑 Citation

To cite this paper, please use the Bibtex here.

You might also like...
NSX-T infrastructure as code - SDDC deployment
NSX-T infrastructure as code - SDDC deployment

Deploy NSX-T Infrastructure - Simple Topology by Nicolas MICHEL @vpackets / LinkedIn Introduction The purpose of this entire repository is to automate

A simple python application for generating a WiFi QR code for ease of connection

A simple python application for generating a WiFi QR code Initialize the class by providing QR code values WiFi_QR_Code(self, error_correction: int =

Python code that get the name and ip address of a computer/laptop

IP Address This is a python code that provides the name and the internet protocol address of the computer. You need to install socket pip install sock

Research Artifact of USENIX Security 2022 Paper: Automated Side Channel Analysis of Media Software with Manifold Learning

Manifold-SCA Research Artifact of USENIX Security 2022 Paper: Automated Side Channel Analysis of Media Software with Manifold Learning The repo is org

🖍️This is a feature-complete clone of the awesome Chalk (JavaScript) library.
🖍️This is a feature-complete clone of the awesome Chalk (JavaScript) library.

Terminal string styling done right This is a feature-complete clone of the awesome Chalk (JavaScript) library. All credits go to Sindre Sorhus. Highli

Code for the USENIX 2017 paper: kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels

kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Blazing fast x86-64 VM kernel fuzzing framework with performant VM reloads for Linux, MacOS an

A python script to turn Ubuntu Desktop in a one stop security platform. The InfoSec Fortress installs the packages,tools, and resources to make Ubuntu 20.04 capable of both offensive and defensive security work.

infosec-fortress A python script to turn Ubuntu Desktop into a strong DFIR/RE System with some teeth (Purple Team Ops)! This is intended to create a s

A CLI tool to disable and enable security standards controls in AWS Security Hub

Security Hub Controls CLI A CLI tool to disable and enable security standards controls in AWS Security Hub. It is designed to work together with AWS S

Security-TXT is a python package for retrieving, parsing and manipulating security.txt files.

Security-TXT is a python package for retrieving, parsing and manipulating security.txt files.

Security audit Python project dependencies against security advisory databases.

Security audit Python project dependencies against security advisory databases.

RedTeam-Security - In this repo you will get the information of Red Team Security related links
RedTeam-Security - In this repo you will get the information of Red Team Security related links

OSINT Passive Discovery Amass - https://github.com/OWASP/Amass (Attack Surface M

This is the code repository for Mastering Python for Networking and Security – Second Edition
This is the code repository for Mastering Python for Networking and Security – Second Edition

Mastering Python for Networking and Security – Second Edition This is the code repository for Mastering Python for Networking and Security – Second Ed

Repository for a project of the course EP2520 Building Networked Systems Security

EP2520_ACME_Project Repository for a project of the course EP2520 Building Networked Systems Security in Royal Institute of Technology (KTH), Stockhol

A repository built on the Flow software package to explore cyber-security attacks on intelligent transportation systems.

A repository built on the Flow software package to explore cyber-security attacks on intelligent transportation systems.

2021 Machine Learning Security Evasion Competition

2021 Machine Learning Security Evasion Competition This repository contains code samples for the 2021 Machine Learning Security Evasion Competition. P

Members: Thomas Longuevergne Program: Network Security Course: 1DV501 Date of submission: 2021-11-02
Members: Thomas Longuevergne Program: Network Security Course: 1DV501 Date of submission: 2021-11-02

Mini-project report Members: Thomas Longuevergne Program: Network Security Course: 1DV501 Date of submission: 2021-11-02 Introduction This project was

Providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account.
Providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account.

We are providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account. The script enables security teams to identify external-facing AWS assets by running the exploit on them, and thus be able to map them and quickly patch them

This repository will contain the code for the CVPR 2021 paper
This repository will contain the code for the CVPR 2021 paper "GIRAFFE: Representing Scenes as Compositional Generative Neural Feature Fields"

GIRAFFE: Representing Scenes as Compositional Generative Neural Feature Fields Project Page | Paper | Supplementary | Video | Slides | Blog | Talk If

Owner
UMD Breakerspace
UMD Breakerspace
Enrich IP addresses with metadata and security IoC

Stratosphere IP enrich Get an IP address and enrich it with metadata and IoC You need API keys for VirusTotal and PassiveTotal (RiskIQ) How to use fro

Stratosphere IPS 10 Sep 25, 2022
Decentra Network is an open source blockchain that combines speed, security and decentralization.

Decentra Network is an open source blockchain that combines speed, security and decentralization. Decentra Network has very high speeds, scalability, asymptotic security and complete decentralization.

Decentra Network 74 Nov 22, 2022
This repository contain sample code of gRPC Communication between Python and GoLang

This repository contain sample code of gRPC Communication between Python and GoLang, the Server is running on GoLang while Python is running the client

Abdullahi Muhammad 2 Nov 29, 2021
A repository dedicated to IoT(internet of things ) and python scripts

?? Introduction Week of Learning is a weekly program in which you will get all the necessary knowledge about Circuit-Building, Arduino and Micro-Contr

null 27 Nov 22, 2022
A repository to spoof ARP table of any devices and successfully establish Man in the Middle(MITM) attack using Python3 in Linux

arp_spoofer A repository to spoof ARP table of any devices and successfully establish Man in the Middle(MITM) attack using Python3 in Linux Usage: git

Surya Das N 1 Oct 30, 2021
A fully automated, accurate, and extensive scanner for finding log4j RCE CVE-2021-44228

log4j-scan A fully automated, accurate, and extensive scanner for finding vulnerable log4j hosts Features Support for lists of URLs. Fuzzing for more

FullHunt 3.2k Jan 2, 2023
Quickly fetch your WiFi password and if needed, generate a QR code of your WiFi to allow phones to easily connect

wifi-password Quickly fetch your WiFi password and if needed, generate a QR code of your WiFi to allow phones to easily connect. Works on macOS and Li

Siddharth Dushantha 2.6k Jan 5, 2023
This is a simple python code to get the list of banned IP addresses from Fail2ban

Fail2ban Scripts Usage banned_list.py This script tries to get the banned list of IP addresses by Fail2ban for the service freeswitch. You can modify

Yehor Smoliakov 9 Dec 28, 2022
Initial code of an A3C network

A3C-network Initial code of an A3C network Open the python file named as "APL452 Project Report2" The following libraries and packages have been insta

Ayush Tanwar 0 Jun 11, 2022
PoC code for stealing the WiFi password of a network with a Lovebox IOT device connected

LoveBoxer PoC code for stealing the WiFi password of a network with a Lovebox IOT device connected. This PoC was is what I used in this blogpost Usage

Graham Helton 10 May 24, 2022