DEV Community

user32
user32

Posted on

7.8 Million Free DDoS Amplifiers, Courtesy of State Censorship Infrastructure

#cybersecurity #networking #learning #backend

Nation state filtering systems that inject block pages can also reflect and amplify traffic at internet scale.

On February 7, 2026, I ran internet-wide scans and found millions of censorship and deep packet inspection middleboxes that send real HTTP responses to invalid TCP traffic with no handshake. That single design shortcut turns content filtering infrastructure into a pool of TCP reflected amplification DDoS reflectors.

This is not a flaw in TCP. TCP is doing what it is supposed to do. The break happens when middleboxes violate TCP session rules to enforce filtering.

Key findings include:

  • Scale: 7,800,378 distinct reflector IPs observed in one scan
  • Worst case: 2,160,868x maximum amplification observed, matching routing loop scenarios described in prior research
  • Behavior changes by blocked domain: the hostname you probe changes which middleboxes respond, how often they retransmit, and how large the responses are
  • Hard to filter: the reflected traffic looks like plausible HTTP coming from millions of legitimate IPs
  • Fixes exist: but many operators would have to trade filtering aggressiveness for TCP correctness

Why this exists

Classic amplification is usually a UDP problem because UDP is connectionless and easy to spoof. TCP should resist spoofed reflection because a connection normally requires a three-way handshake.

Censorship middleboxes break that assumption. Many are built to spot a blocked hostname inside HTTP and immediately inject a block page, even if they have not seen a valid TCP handshake or a valid sequence state. If a network still allows source address spoofing, the injected response can be reflected to a victim.

Prior work

  • 2021: Bock, Alaraj, and collaborators (University of Maryland and University of Colorado Boulder) demonstrated TCP reflected amplification via middleboxes at scale, including extreme amplification from routing loops. The work appeared at USENIX Security 2021 and received a Distinguished Paper Award.
  • 2022: Akamai reported confirmed in-the-wild attacks using this technique.
  • 2022: Shadowserver scanned IPv4 and reported 18.8 million IPs vulnerable to middlebox TCP reflection.
  • 2026: My scans show the population remains large, and the routing loop worst-case behavior still exists.

Scan methodology and results

I ran multiple internet-wide scans using a custom module and captured every response on a separate listener. Each probe used PSH+ACK flags (no SYN and no handshake), carried a small HTTP request in the payload, and targeted port 8000 to show that inspection is not limited to ports 80 or 443. The probes carried an HTTP request that included a blocked hostname in the Host header. Different hostnames trigger different filtering policies and therefore different middlebox populations.

The example payload was simple:

GET / HTTP/1.1
Host: wikileaks.org
Enter fullscreen mode Exit fullscreen mode

Scan comparison

Metric youporn.com wikileaks.org telegram.org
Total reflectors 7,800,378 6,761,041 6,713,687
Total packets received 13,982,071 13,570,929 7,457,830
Total bytes received 1.84 GB 1.73 GB 1.20 GB
Average amplification 3.30x 3.47x 2.46x
Max amplification 1,131,487x 2,160,868x 103,255x
Packets per reflector 1.79 2.01 1.11
Average bytes per packet 141 136 172
Request size 77 bytes 79 bytes 78 bytes

Analysis by hostname

1. Pornography blocks produce the largest footprint

The youporn.com probe produced the largest reflector population: 7.8 million distinct IPs. This aligns with the fact that pornography is widely blocked across many regions, which broadens the number of networks with matching rules.

Terminal output from the youporn.com scan

Terminal output from the youporn.com scan showing 13.98 million packets from 7.8 million unique IPs, plus TCP flag statistics.

2. WikiLeaks blocks retransmit more frequently

The standout metric is packets per reflector:

  • wikileaks.org: 2.01
  • youporn.com: 1.79
  • telegram.org: 1.11

A value above 2 means many devices send a block page, then retransmit when no ACK arrives because the session never existed. In this dataset, political and whistleblower filtering shows higher retransmission rates.

That retransmission behavior explains why wikileaks.org has the highest average amplification (3.47x) and also hit the largest maximum amplification (2,160,868x).

Full results for the wikileaks.org scan

Full scan results for the wikileaks.org payload: 6,761,041 reflectors, 13.57 million packets, 1.73 GB reflected, max amplification above 2.16 million.

3. Telegram blocks generate larger responses

The telegram.org probe produced fewer total packets and the lowest packets per reflector, but the largest average bytes per packet (172). Many Telegram block pages appear more complex and include branding elements.

Full results for the telegram.org scan

Extreme amplification cases

All three probes found reflectors above 100,000x amplification. Two probes found reflectors above 1,000,000x.

These extremes are consistent with routing loop behavior described in academic work. In that failure mode, injected packets re-enter filtering paths and trigger repeated injections. If the loop does not terminate quickly, the response traffic grows until something breaks.

Response traffic characteristics

Two observations from the response patterns:

  1. Different vendors and configurations behave differently. This shows up in retransmission rates, response sizes, and how devices close the connection.
  2. Some devices emit non-standard TCP flag patterns. Reserved bits and other anomalies act as vendor fingerprints, and some appear more often for particular content categories.

High-level response patterns:

  • For youporn.com and wikileaks.org, most responses followed "send block page, then close" or "send block page and leave hanging" patterns.
  • For telegram.org, many responses left the phantom connection open, suggesting stateful behavior even though no real connection exists.

Example block pages

These are examples of actual responses to invalid TCP traffic carrying a blocked hostname.

Kuwait STC block page
Kuwait STC block page

Uzbekistan (ogohlantirish.uz) block page
Uzbekistan (ogohlantirish.uz) block page

Qatar (censor.qa) block page
Qatar (censor.qa) block page

UAE (lighthouse.du.ae) block page
UAE (lighthouse.du.ae) block page

Attack traffic characteristics

In a controlled test (using only 7,000,000 pps for under 30 seconds), reflected traffic quickly rose, nearing 100 Gbps. The DSTAT stalled during the run, so the peak only appeared after the test stopped, implying the actual rate was higher than what DSTAT recorded. The receiving monitoring stack saturated before the reflector pool.

DSTAT from controlled test

Two practical consequences for defenders:

  • Source-based blocking is ineffective. The traffic comes from large numbers of legitimate IPs tied to governments and ISPs.
  • The payload resembles normal HTTP. It is harder to classify than classic UDP amplification replies.

Filtering design impacts amplification power

Filtering design choices map directly to amplification capability:

  • A device that drops traffic or sends a small reset is a weak reflector
  • A device that injects a full multi-kilobyte HTML block page is a strong reflector
  • A device that retransmits that block page is stronger
  • A device caught in a routing loop can become an extreme outlier

Countries that invest heavily in national filtering also operate some of the most capable reflector infrastructure as a side effect.

Comparison to UDP amplification

This attack has several advantages over classic UDP amplification:

  • Many unique sources: Millions of IPs can participate, which makes filtering and attribution harder
  • Legitimate-looking responses: Appears as ordinary HTTP from real networks
  • Trigger-dependent: The filtering category you hit changes which infrastructure answers
  • Not tied to one port: Almost all middleboxes inspect beyond TCP 80

Mitigation

Network operators and ISPs

  • Stop source spoofing at the edge with BCP38 and BCP84 style egress filtering. If spoofing fails, reflection fails.

Middlebox operators

  • Do not inject responses outside a valid TCP session. Only inject after a full handshake and validated sequence state.
  • Ensure injected traffic follows normal IP forwarding behavior, including TTL handling, so routing loops terminate.

DDoS mitigation teams

  • Treat unsolicited HTTP-like traffic as suspect when it arrives at scale from diverse sources.
  • Akamai has recommended watching for anomalies such as SYN packets that carry payload data as a practical signal in some environments.

Governments

  • Filtering infrastructure can be exploited both outward and inward. Fixing it requires making it TCP-correct and loop-free, even if that reduces filtering flexibility.

Summary

On February 7, 2026, my scans observed 7.8 million distinct IPs willing to reflect HTTP responses over TCP without a handshake. The top-end behavior reached 2.16 million times amplification from a single reflector, consistent with the routing loop failure mode described in prior research.

This is not a new vulnerability. It is a design shortcut that has scaled up as censorship infrastructure expanded.

Top comments (0)