UMD Team Wins Distinguished Paper Award for Uncovering New Type of Cyberattack
Published August 12, 2021
University of Maryland researchers won a Distinguished Paper Award for their work uncovering a unique form of distributed denial-of-service (DDoS) attacks that can be used by nation-states to censor internet access.
DDoS attacks are an advanced form of traditional denial-of-service attacks, wherein a perpetrator tries to make a machine or network unavailable to legitimate users by flooding it with superfluous requests. The DDoS attacks are different in that they can flood a network from multiple sources, making it difficult to stop the cyberattack by simply blocking one source.
The UMD team used an artificial intelligence algorithm to uncover a new form of DDoS attacks—the first TCP-based amplification attack of its kind—on a scale that hasn't been seen before.
Their findings are detailed in “Weaponizing Middleboxes for TCP Reflected Amplification,” which won a Distinguished Paper Award at the 30th USENIX Security Symposium. The conference ran from August 11–13, and was held online due to the ongoing COVID-19 pandemic.
The paper was written by Kevin Bock, lead author and a fourth-year doctoral student in computer science; Kyle Hurley, a senior majoring in computer science; Abdulrahman Alaraj, a computer science doctoral student at the University of Colorado Boulder (CU Boulder); Eric Wustrow, an assistant professor of computer engineering at CU Boulder; and Dave Levin, an assistant professor of computer science at UMD.
“Denial-of-service attacks are a huge threat to the internet,” says Levin, who also has an appointment in the University of Maryland Institute for Advanced Computer Studies and is a core faculty member in the Maryland Cybersecurity Center.
One of the main tools in attackers’ toolkits, Levin says, is the ability to ‘amplify’ their traffic by sending small requests to a server, which responds with a large reply to the victim.
“Some of the largest, most threatening amplification factors in the past have been in the order of 500 times, with one recent amplification attack in the 10,000 times range,” Levin says. “We’ve discovered amplification attacks that offer 100,000-plus, one million-plus, and even technically infinite amplification.”
The researchers say that these types of newly discovered DDoS attacks are, in part, powered by the large-scale censorship infrastructure of nation-states like China, India and Kazakhstan.
“Some nation-states have long been known to censor their own citizens online. What this paper—and another concurrent paper of ours—shows is that nation-state censors pose an even greater threat to the internet as a whole,” Levin says. “Attackers can use the censorship infrastructure—usually many firewalls deployed at their borders—to launch denial of service attacks on anyone on the internet.”
The research team uncovered the amplification attacks using Geneva, an artificial intelligence tool they created. Geneva—short for Genetic Evasion because it was inspired by the principles of genetic evolution—was originally designed to circumvent censorship on the internet. With some modest changes, however, the researchers were able to repurpose it to learn how to elicit and maximize an amplification factor from a vulnerable censorship infrastructure.
The key vulnerability that enables this type of attack are censoring middleboxes or firewalls—computer networking devices that route internet traffic and enforce policies on what traffic is allowed.
Protecting the internet from these types of cyberthreats will require concerted effort from many middlebox manufacturers and operators, the researchers conclude. It would also require an effort by nation-states to update their censorship infrastructure (potentially weakening it in the process), which is something unlikely to happen.
To assist in these efforts, the research team plans to make their code publicly available.
—Story by Melissa Brachfeld