TCP Middlebox Reflection attacks can exploit millions of IPs

TCP Middlebox Reflection Cyberattacks IP Exploit DDoS

The TCP Middlebox Reflection method is a new amplification technique for conducting a Distributed Denial-of-Service attack. Researchers stated that this type of attack is a massive emerging threat that can infect many organisations.

Moreover, the new attack abused flawed firewalls and content filtering systems to reflect and increase the TCP traffic in their target’s devices.

Based on the recently discovered exploit analysis, malicious threat actors can activate the new attack sequence through Network Address Translators (NATs), firewalls, Deep Packet Inspection (DPI) packages, and load balancers by sending malware formed a chain of TCP packets.


The TCP Middlebox Reflection attack method is limited, and researchers have discovered it first before cybercriminals do.


However, they claimed that hackers could exploit more than 18 million IP addresses to deploy TCP-based DDoS reflection attacks.

Researchers also included the countries where this recently discovered exploit may heavily impact their report. China is the top country most affected by this attack since it has the highest count of flawed IPv4 addresses (more than 6.3 million). It is then followed by Iran, with about 5.2 million vulnerable IP addresses. The third country is Indonesia, which comprises 3 million IP addresses.

Furthermore, it is also highly probable that there are additional flawed IP addresses that can respond to Middlebox firewalls. Moreover, the first surge of observable attack campaigns occurred in February.

Similar attacks have also targeted gaming industries, banking institutions, travel firms, and media and web hosting industries. The traffic in these attacks has almost reached 11 gigabytes per second at about 1.5 million packets/second.

The attackers impersonated the source IP addresses to bombard targeted middleboxes with unwanted traffic and abuse the middleboxes.

The vital discovery regarding this issue is that the new attack vector is starting to exploit real-world abuse. Cybersecurity providers should be aware of such attack strategies and review their defensive solutions following this new DDoS transmitter.

About the author

Leave a Reply