Threat Watch

New Research Demonstrates DDoS Weaponization of Censorship Middleboxes

A team of researchers from University of Colorado and University of Maryland have released a new paper and Proof of Concept (PoC) code that demonstrates the use of censorship and other so-called middleboxes to create potentially unlimited amplification for Distributed Denial of Service (DDoS) attacks. The term middlebox here refers to censorship systems that deny blacklisted traffic, widely used by nation-states in closed Internet infrastructures, but can also refer to firewall and intrusion detection systems in institutional networks – even these sorts of benign middleboxes can be weaponized by the PoC. Amplification refers to the common strategy utilized for DDoS attacks: for example, packets with the spoofed IP address of the target are sent to open servers or DNS resolvers, which respond with longer messages or a stream of multiple packets back at the target system, enabling attackers to create massive amounts of internet traffic that overwhelm the target’s infrastructure.  Notably, the PoC generates TCP packets, instead of UDP packets, due to the fact that many middleboxes do not comply with the TCP three-way handshake standard.


There is no legal or compliance requirement for ISPs and other large organizations to monitor the use of their infrastructures in DDoS attacks. However, good internet citizenship helps ensure everyone’s security and also prevents the misuse of resources allocated to organization’s network – it pays to monitor and block DNS amplification attacks, regardless of whether one is the target of the attack or not. We can expect this research and PoC code to be utilized by threat actors to create new challenges for organizations and content delivery networks such as Cloudflare.