Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/13/2017
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

New Breed of DDoS Attack On the Rise

Akamai Networks since October has detected and mitigated at least 50 DDoS attacks using Connectionless LDAP.

Over the years, threat actors have abused a variety of services including DNS, SNMP, and NTP to enable and amplify distributed denial-of-service (DDoS) attacks against their targets.

A new method that appears to be gaining favor among attackers involves the abuse of Connectionless LDAP, a version of the Lightweight Directory Access Protocol that many organizations rely on for directory services such as accessing usernames and passwords from Microsoft's Windows Active Directory.

In an advisory Wednesday, content delivery network and cloud services provider Akamai Networks reported encountering and mitigating at least 50 CLDAP reflection-attacks against its customers since last October.

About 33% of those were single-vector attacks, meaning they relied solely on CLDAP reflection to try and disrupt or knock their targets offline.

What makes the new technique dangerous is the extent of the amplification that can be achieved by abusing Internet-exposed CLDAP services, says Jose Arteaga, a member of Akamai's security intelligence response team.

"CLDAP reflection works in the same way as any other UDP-based reflection attack," Arteaga says. "[But] the amplification of the response is impressive compared to most other vectors," he says. On average, Akamai observed CLDAP-enabled DDoS attacks achieving amplifications of over 56%.

The largest attack using CLDAP as the sole vector that Akamai has mitigated so far had a peak bandwidth of 24 Gigabits per second, or about two million packets per second. "These attacks are averaging around 3 gigabits per second—a pretty impressive number considering the limited number of available reflectors," Arteaga says.

"It's enough to bring smaller sites offline and potentially cause latency issues on others."

CLDAP uses the User Datagram Protocol (UDP) instead of the Transmission Control Protocol (TCP) for communication. UDP does not validate source IP addresses, thereby making application-layer protocols that rely on it—such as CLDAP—good vectors for launching DDoS attacks.

A UDP reflection and amplification attack is one where an attacker sends specially crafted packets that appear to originate from their intended target's IP address, to numerous UDP servers that are exposed on the Internet. Responses from the UDP servers are sent to the victim’s IP address creating denial of service conditions. By sending certain requests, attackers can get the UDP servers to respond with packets that are multiple times the size of the original packet, thereby amplifying the volume of the DDoS traffic. The attacks that Akamai observed had amplification factors of over 50% on average.

Corero Network Security was among the first vendors to warn of the new attack vector when it reported encountering CLDAP-enabled amplification attacks against a small number of its customers last October. At the time, the company had reported seeing an average amplification factor of 46 and a peak of 55.

Such amplification attacks are possible because of the many open CLDAP services on the Internet that respond to queries for spoofed IP addresses, the company had noted in an advisory at the time.

The Shadowserver Foundation's Open LDAP Scanning Project currently lists 73,380 distinct IP addresses around the world belonging to devices running CLDAP that are openly accessible over the Internet via port 389. Over 16,700 of those devices are based in the US.

Other countries with a relatively large number of exposed CLDAP services include Brazil, with 5,411; France, with 3,459; and the United Kingdom, with 3,354.

Each of these devices has the potential of being used in an amplification attack. The Shadowserver Foundation's goal in identifying them is to try and alert their network owners about the issue.

The discovered hosts are not filtering port 389," Arteaga says. "In other words, these hosts have port 389 open and listening."

Unlike DNS or NTP, there is likely little reason to expose CLDAP over the Internet, Arteaga says. "We aren't sure this is a common or best practice approach," he says.

The key takeaway for enterprises is to make sure they don't contribute to the problem themselves. CLDAP is in fact the thirteenth protocol that Akamai has discovered being used as a DDoS amplification vector due to organizations not securing the protocols, Arteaga says.

"Have a clear understanding of services that are UDP-based and exposed over the Internet and weigh out the pros and cons of having those," he says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.
CVE-2016-4606
PUBLISHED: 2020-02-21
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...