One of the authors here! You're right that it's not abusing TCP proper, but rather how middleboxes process TCP connections. Because they are eavesdropping on the connection in the middle of the path, they can't always be certain they will see every packet. Route asymmetry or congestion at the middlebox can result in cases where the destination gets a packet the middlebox doesn't. So what does a middlebox do when it sees a packet that doesn't conform to what it believes the current state of the connection is? (E.g., if it sees a SYN, then ACK, but never the SYN+ACK that's supposed to come between them.) Most middleboxes have the policy that they assume that they missed it but the end-host didn't (after all, who in their right minds would ACK a non-existent SYN+ACK?). So what our attacks abuse are these (necessary?) decisions by middleboxes to address the so-called eavesdropper's dilemma.

I'm Dave Levin, one of the authors of this work. Thanks for sharing! I'd be happy to answer any questions.