Amplification Denial-of-Service (DoS) attacks steer high-volumetric traffic to a victim by sending small IP-spoofed requests to UDP-based services. An attacker cannot abuse TCP-based services in the same manner, as TCP is connection-based and requires to complete a handshake. Hence, previous works only showed that the connection-less part of TCP can be exploited for DoS, e.g., by abusing middleboxes or handshakes for stateless reflection attacks. This work studies connection-based TCP amplification attacks. We first propose a scalable methodology to explore the fundamentals of connection-based TCP amplification attacks—hosts with easily predictable sequence number selection algorithms. This allows attackers to complete IP-spoofed TCP handshakes, opening up the possibility of sending IP-spoofed application-layer (e.g., HTTP) requests to trigger amplified traffic. Our identification revealed over 160k vulnerable HTTP servers in the IPv4 space, out of which 54k servers host "amplifying" (≥ 1 kB large) resources. Using only ≤ 3 sequence number guesses, a single IP-spoofed HTTP request achieve an average amplification factor of 16.77 on average at an ≈ 80% success rate. Furthermore, we show that an attacker can also spoof cumulative ACKs and additional requests to further increase the impact of the amplification attack.
Annual Computer Security Applications Conference (ACSAC)
2025-12-08
2026-01-29