Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
pfinksai
Participant

TCP Reflected Amplification

Hi All,

 

TCP Middlebox Reflection that has emerged recently: What kind of reaction should we get on Check point to prevent Coming to a DDoS attacks? 

 

Thank you.

0 Kudos
6 Replies
Peter_Elmer
Employee
Employee

Hello @pfinksai ,

TCP Middlebox Reflection is a broad topic (here one example reference created by Akamai) here some references for Check Point products:

best regards

pelmer 

dano
Explorer

hi @Peter_Elmer 

I saw sk178411, this SK's response to OpenSSL CVE-2022-0778
But we talk about TCP Middlebox Reflection , can you tell me how they are connected?
thanks for your reply

0 Kudos
Peter_Elmer
Employee
Employee

Hello @dano ,

allow me spending time preparing a more comprehensive response. I'll get back soon

-pelmer

0 Kudos
dano
Explorer

hi @Peter_Elmer  thanks 

I thank SYN packets are used to initiate the TCP handshake like SYN floods

I see sk112241
I tried SYN Attack drop to solve TCP Middlebox Reflection but I don't know if it works

Looking forward to your reply

 

0 Kudos
dano
Explorer

tcp Middlebox Reflection research 

https://www.usenix.org/system/files/sec21fall-bock.pdf

0 Kudos
Peter_Elmer
Employee
Employee

Hello @dano ,

sorry, it took me a while carving out the time to review related material. Here are my thoughts.

Reviewing Middlebox Amplification attacks - how I understand them after reading this paper linked on Akamai

Access to sites belonging to URL categories might be controlled by middleboxes. In the Enterprise context such control would be performed by the perimeter security gateway or a proxy. In some states, access to the Internet might be subject to control executed by state owned gateways.

The middlebox amplification attacks makes benefit of this context. It allows a spoofed request (attacker spoofing IP address of the victim) for a blocked site being send to the middlebox, which in response is sending an HTML page to the victim. In the research referenced above, middleboxes have been found sending HTML 'access blocked' pages to the victim, even without checking the state of the SYN packet send by the attacker to the middlebox.

Middlebox attack flow

The attacker acquires knowledge about certain middleboxes blocking the access to certain URL categories.
The attacker is spoofing the source IP of the victim (even an IP on the internal side of the middlebox) sending an HTTP Request for a resource known to be blocked by the middlebox. The middlebox is expected sending the 'HTML access block page' to the victim. In this way 'you send data to the victim it hasn't requested' - you 'keep the victim busy'. (Review the infographics on the references above.)

Things I would review in my Security Gateways configuration after reading above references

  • Anti-Spoofing: review 'preventing IP Spoofing' section of the administration guide here
  • UserCheck portal access
    Check Point Gateways provide UserCheck to allow internal users getting informed when accessing sites forbidden by policy.
    Review access settings for the portal. The setting 'According to Firewall Policy' achieves stateful inspection of incoming traffic.
  • Understand UserCheck portal is using MultiPortal Daemon documented in sk87920
  • Understand DoS Mitigation options provided by Check Point Security Gateway sk112454 - especially Penalty Box

I encourage to study the above indicated resources and create a DoS defense strategy with your service provider having practices in place, in case a volumetric attack is raised against your Internet connection. 

best regards

-pelmer

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events