Attacks/Breaches

4/13/2017
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

New Breed of DDoS Attack On the Rise

Akamai Networks since October has detected and mitigated at least 50 DDoS attacks using Connectionless LDAP.

Over the years, threat actors have abused a variety of services including DNS, SNMP, and NTP to enable and amplify distributed denial-of-service (DDoS) attacks against their targets.

A new method that appears to be gaining favor among attackers involves the abuse of Connectionless LDAP, a version of the Lightweight Directory Access Protocol that many organizations rely on for directory services such as accessing usernames and passwords from Microsoft's Windows Active Directory.

In an advisory Wednesday, content delivery network and cloud services provider Akamai Networks reported encountering and mitigating at least 50 CLDAP reflection-attacks against its customers since last October.

About 33% of those were single-vector attacks, meaning they relied solely on CLDAP reflection to try and disrupt or knock their targets offline.

What makes the new technique dangerous is the extent of the amplification that can be achieved by abusing Internet-exposed CLDAP services, says Jose Arteaga, a member of Akamai's security intelligence response team.

"CLDAP reflection works in the same way as any other UDP-based reflection attack," Arteaga says. "[But] the amplification of the response is impressive compared to most other vectors," he says. On average, Akamai observed CLDAP-enabled DDoS attacks achieving amplifications of over 56%.

The largest attack using CLDAP as the sole vector that Akamai has mitigated so far had a peak bandwidth of 24 Gigabits per second, or about two million packets per second. "These attacks are averaging around 3 gigabits per second—a pretty impressive number considering the limited number of available reflectors," Arteaga says.

"It's enough to bring smaller sites offline and potentially cause latency issues on others."

CLDAP uses the User Datagram Protocol (UDP) instead of the Transmission Control Protocol (TCP) for communication. UDP does not validate source IP addresses, thereby making application-layer protocols that rely on it—such as CLDAP—good vectors for launching DDoS attacks.

A UDP reflection and amplification attack is one where an attacker sends specially crafted packets that appear to originate from their intended target's IP address, to numerous UDP servers that are exposed on the Internet. Responses from the UDP servers are sent to the victim’s IP address creating denial of service conditions. By sending certain requests, attackers can get the UDP servers to respond with packets that are multiple times the size of the original packet, thereby amplifying the volume of the DDoS traffic. The attacks that Akamai observed had amplification factors of over 50% on average.

Corero Network Security was among the first vendors to warn of the new attack vector when it reported encountering CLDAP-enabled amplification attacks against a small number of its customers last October. At the time, the company had reported seeing an average amplification factor of 46 and a peak of 55.

Such amplification attacks are possible because of the many open CLDAP services on the Internet that respond to queries for spoofed IP addresses, the company had noted in an advisory at the time.

The Shadowserver Foundation's Open LDAP Scanning Project currently lists 73,380 distinct IP addresses around the world belonging to devices running CLDAP that are openly accessible over the Internet via port 389. Over 16,700 of those devices are based in the US.

Other countries with a relatively large number of exposed CLDAP services include Brazil, with 5,411; France, with 3,459; and the United Kingdom, with 3,354.

Each of these devices has the potential of being used in an amplification attack. The Shadowserver Foundation's goal in identifying them is to try and alert their network owners about the issue.

The discovered hosts are not filtering port 389," Arteaga says. "In other words, these hosts have port 389 open and listening."

Unlike DNS or NTP, there is likely little reason to expose CLDAP over the Internet, Arteaga says. "We aren't sure this is a common or best practice approach," he says.

The key takeaway for enterprises is to make sure they don't contribute to the problem themselves. CLDAP is in fact the thirteenth protocol that Akamai has discovered being used as a DDoS amplification vector due to organizations not securing the protocols, Arteaga says.

"Have a clear understanding of services that are UDP-based and exposed over the Internet and weigh out the pros and cons of having those," he says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
What's Cooking With Caleb Sima
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/12/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0243
PUBLISHED: 2018-07-19
Check_MK through 1.2.5i2p1 allows local users to read arbitrary files via a symlink attack to a file in /var/lib/check_mk_agent/job.
CVE-2014-2302
PUBLISHED: 2018-07-19
The installer script in webEdition CMS before 6.2.7-s1 and 6.3.x before 6.3.8-s1 allows remote attackers to conduct PHP Object Injection attacks by intercepting a request to update.webedition.org.
CVE-2018-7602
PUBLISHED: 2018-07-19
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Rem...
CVE-2018-14332
PUBLISHED: 2018-07-19
An issue was discovered in Clementine Music Player 1.3.1. Clementine.exe is vulnerable to a user mode write access violation due to a NULL pointer dereference in the Init call in the MoodbarPipeline::NewPadCallback function in moodbar/moodbarpipeline.cpp. The vulnerability is triggered when the user...
CVE-2018-1529
PUBLISHED: 2018-07-19
IBM Rational DOORS Next Generation 5.0 through 5.0.2, 6.0 through 6.0.5 and IBM Rational Requirements Composer 5.0 through 5.0.2 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potential...