Weaponizing Middleboxes for TCP Reflected Amplification

We discover a new way that attackers could launch reflected denial of service amplification attacks over TCP by abusing middleboxes and censorship infrastructure. This is the first reflected amplification attack over TCP that goes beyond sending SYN packets and the first HTTP-based reflected amplification attack. Reflected amplification attacks are a powerful tool in the arsenal of a DoS attacker. These middleboxes can be weaponized to conduct DoS amplification attacks. Since middleboxes are spoofing the IP address of the traffic they generate, this means that the attacker can set the source IP address of the reflected traffic to be any IP address behind the middlebox. How big of an amplification factor can attackers get with this attack?We are taking advantage of the implementation of the TCP protocol by middleboxes, unlike most prior attacks which take advantage of a protocol specification itself. We found hundreds of IP addresses with middleboxes that offered amplification factor larger than memcached, and hundreds of thousands of IP addresses that offered amplification factors greater than DNS and NTP. Was this attack responsibly disclosed?Yes, but we're limited.