Attacks/Breaches
4/13/2017
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

New Breed of DDoS Attack On the Rise

Akamai Networks since October has detected and mitigated at least 50 DDoS attacks using Connectionless LDAP.

Over the years, threat actors have abused a variety of services including DNS, SNMP, and NTP to enable and amplify distributed denial-of-service (DDoS) attacks against their targets.

A new method that appears to be gaining favor among attackers involves the abuse of Connectionless LDAP, a version of the Lightweight Directory Access Protocol that many organizations rely on for directory services such as accessing usernames and passwords from Microsoft's Windows Active Directory.

In an advisory Wednesday, content delivery network and cloud services provider Akamai Networks reported encountering and mitigating at least 50 CLDAP reflection-attacks against its customers since last October.

About 33% of those were single-vector attacks, meaning they relied solely on CLDAP reflection to try and disrupt or knock their targets offline.

What makes the new technique dangerous is the extent of the amplification that can be achieved by abusing Internet-exposed CLDAP services, says Jose Arteaga, a member of Akamai's security intelligence response team.

"CLDAP reflection works in the same way as any other UDP-based reflection attack," Arteaga says. "[But] the amplification of the response is impressive compared to most other vectors," he says. On average, Akamai observed CLDAP-enabled DDoS attacks achieving amplifications of over 56%.

The largest attack using CLDAP as the sole vector that Akamai has mitigated so far had a peak bandwidth of 24 Gigabits per second, or about two million packets per second. "These attacks are averaging around 3 gigabits per second—a pretty impressive number considering the limited number of available reflectors," Arteaga says.

"It's enough to bring smaller sites offline and potentially cause latency issues on others."

CLDAP uses the User Datagram Protocol (UDP) instead of the Transmission Control Protocol (TCP) for communication. UDP does not validate source IP addresses, thereby making application-layer protocols that rely on it—such as CLDAP—good vectors for launching DDoS attacks.

A UDP reflection and amplification attack is one where an attacker sends specially crafted packets that appear to originate from their intended target's IP address, to numerous UDP servers that are exposed on the Internet. Responses from the UDP servers are sent to the victim’s IP address creating denial of service conditions. By sending certain requests, attackers can get the UDP servers to respond with packets that are multiple times the size of the original packet, thereby amplifying the volume of the DDoS traffic. The attacks that Akamai observed had amplification factors of over 50% on average.

Corero Network Security was among the first vendors to warn of the new attack vector when it reported encountering CLDAP-enabled amplification attacks against a small number of its customers last October. At the time, the company had reported seeing an average amplification factor of 46 and a peak of 55.

Such amplification attacks are possible because of the many open CLDAP services on the Internet that respond to queries for spoofed IP addresses, the company had noted in an advisory at the time.

The Shadowserver Foundation's Open LDAP Scanning Project currently lists 73,380 distinct IP addresses around the world belonging to devices running CLDAP that are openly accessible over the Internet via port 389. Over 16,700 of those devices are based in the US.

Other countries with a relatively large number of exposed CLDAP services include Brazil, with 5,411; France, with 3,459; and the United Kingdom, with 3,354.

Each of these devices has the potential of being used in an amplification attack. The Shadowserver Foundation's goal in identifying them is to try and alert their network owners about the issue.

The discovered hosts are not filtering port 389," Arteaga says. "In other words, these hosts have port 389 open and listening."

Unlike DNS or NTP, there is likely little reason to expose CLDAP over the Internet, Arteaga says. "We aren't sure this is a common or best practice approach," he says.

The key takeaway for enterprises is to make sure they don't contribute to the problem themselves. CLDAP is in fact the thirteenth protocol that Akamai has discovered being used as a DDoS amplification vector due to organizations not securing the protocols, Arteaga says.

"Have a clear understanding of services that are UDP-based and exposed over the Internet and weigh out the pros and cons of having those," he says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.