Amplification Denial-of-Service (DoS) attacks steer high-volumetric traffic to a victim by sending small IP-spoofed requests to UDP-based services. An attacker cannot abuse TCP-based services in the same manner, as TCP is connection-based and requires to complete a handshake. Hence, previous works only showed that the connection-less part of TCP can be exploited for DoS, e.g., by abusing middleboxes or handshakes for stateless reflection attacks. This work studies connection-based TCP amplification attacks. We first propose a scalable methodology to explore the fundamentals of connection-based TCP amplification attacks—hosts with easily predictable sequence number selection algorithms. This allows attackers to complete IP-spoofed TCP handshakes, opening up the possibility of sending IP-spoofed application-layer (e.g., HTTP) requests to trigger amplified traffic. Our identification revealed over 160k vulnerable HTTP servers in the IPv4 space, out of which 54k servers host "amplifying" (≥ 1 kB large) resources. Using only ≤ 3 sequence number guesses, a single IP-spoofed HTTP request achieve an average amplification factor of 16.77 on average at an ≈ 80% success rate. Furthermore, we show that an attacker can also spoof cumulative ACKs and additional requests to further increase the impact of the amplification attack.
2025-12-08
2026-02-04