Hello @dano ,
sorry, it took me a while carving out the time to review related material. Here are my thoughts.
Reviewing Middlebox Amplification attacks - how I understand them after reading this paper linked on Akamai
Access to sites belonging to URL categories might be controlled by middleboxes. In the Enterprise context such control would be performed by the perimeter security gateway or a proxy. In some states, access to the Internet might be subject to control executed by state owned gateways.
The middlebox amplification attacks makes benefit of this context. It allows a spoofed request (attacker spoofing IP address of the victim) for a blocked site being send to the middlebox, which in response is sending an HTML page to the victim. In the research referenced above, middleboxes have been found sending HTML 'access blocked' pages to the victim, even without checking the state of the SYN packet send by the attacker to the middlebox.
Middlebox attack flow
The attacker acquires knowledge about certain middleboxes blocking the access to certain URL categories.
The attacker is spoofing the source IP of the victim (even an IP on the internal side of the middlebox) sending an HTTP Request for a resource known to be blocked by the middlebox. The middlebox is expected sending the 'HTML access block page' to the victim. In this way 'you send data to the victim it hasn't requested' - you 'keep the victim busy'. (Review the infographics on the references above.)
Things I would review in my Security Gateways configuration after reading above references
- Anti-Spoofing: review 'preventing IP Spoofing' section of the administration guide here
- UserCheck portal access
Check Point Gateways provide UserCheck to allow internal users getting informed when accessing sites forbidden by policy.
Review access settings for the portal. The setting 'According to Firewall Policy' achieves stateful inspection of incoming traffic.
- Understand UserCheck portal is using MultiPortal Daemon documented in sk87920
- Understand DoS Mitigation options provided by Check Point Security Gateway sk112454 - especially Penalty Box
I encourage to study the above indicated resources and create a DoS defense strategy with your service provider having practices in place, in case a volumetric attack is raised against your Internet connection.
best regards
-pelmer