Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/13/2017
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

New Breed of DDoS Attack On the Rise

Akamai Networks since October has detected and mitigated at least 50 DDoS attacks using Connectionless LDAP.

Over the years, threat actors have abused a variety of services including DNS, SNMP, and NTP to enable and amplify distributed denial-of-service (DDoS) attacks against their targets.

A new method that appears to be gaining favor among attackers involves the abuse of Connectionless LDAP, a version of the Lightweight Directory Access Protocol that many organizations rely on for directory services such as accessing usernames and passwords from Microsoft's Windows Active Directory.

In an advisory Wednesday, content delivery network and cloud services provider Akamai Networks reported encountering and mitigating at least 50 CLDAP reflection-attacks against its customers since last October.

About 33% of those were single-vector attacks, meaning they relied solely on CLDAP reflection to try and disrupt or knock their targets offline.

What makes the new technique dangerous is the extent of the amplification that can be achieved by abusing Internet-exposed CLDAP services, says Jose Arteaga, a member of Akamai's security intelligence response team.

"CLDAP reflection works in the same way as any other UDP-based reflection attack," Arteaga says. "[But] the amplification of the response is impressive compared to most other vectors," he says. On average, Akamai observed CLDAP-enabled DDoS attacks achieving amplifications of over 56%.

The largest attack using CLDAP as the sole vector that Akamai has mitigated so far had a peak bandwidth of 24 Gigabits per second, or about two million packets per second. "These attacks are averaging around 3 gigabits per second—a pretty impressive number considering the limited number of available reflectors," Arteaga says.

"It's enough to bring smaller sites offline and potentially cause latency issues on others."

CLDAP uses the User Datagram Protocol (UDP) instead of the Transmission Control Protocol (TCP) for communication. UDP does not validate source IP addresses, thereby making application-layer protocols that rely on it—such as CLDAP—good vectors for launching DDoS attacks.

A UDP reflection and amplification attack is one where an attacker sends specially crafted packets that appear to originate from their intended target's IP address, to numerous UDP servers that are exposed on the Internet. Responses from the UDP servers are sent to the victim’s IP address creating denial of service conditions. By sending certain requests, attackers can get the UDP servers to respond with packets that are multiple times the size of the original packet, thereby amplifying the volume of the DDoS traffic. The attacks that Akamai observed had amplification factors of over 50% on average.

Corero Network Security was among the first vendors to warn of the new attack vector when it reported encountering CLDAP-enabled amplification attacks against a small number of its customers last October. At the time, the company had reported seeing an average amplification factor of 46 and a peak of 55.

Such amplification attacks are possible because of the many open CLDAP services on the Internet that respond to queries for spoofed IP addresses, the company had noted in an advisory at the time.

The Shadowserver Foundation's Open LDAP Scanning Project currently lists 73,380 distinct IP addresses around the world belonging to devices running CLDAP that are openly accessible over the Internet via port 389. Over 16,700 of those devices are based in the US.

Other countries with a relatively large number of exposed CLDAP services include Brazil, with 5,411; France, with 3,459; and the United Kingdom, with 3,354.

Each of these devices has the potential of being used in an amplification attack. The Shadowserver Foundation's goal in identifying them is to try and alert their network owners about the issue.

The discovered hosts are not filtering port 389," Arteaga says. "In other words, these hosts have port 389 open and listening."

Unlike DNS or NTP, there is likely little reason to expose CLDAP over the Internet, Arteaga says. "We aren't sure this is a common or best practice approach," he says.

The key takeaway for enterprises is to make sure they don't contribute to the problem themselves. CLDAP is in fact the thirteenth protocol that Akamai has discovered being used as a DDoS amplification vector due to organizations not securing the protocols, Arteaga says.

"Have a clear understanding of services that are UDP-based and exposed over the Internet and weigh out the pros and cons of having those," he says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
CVE-2019-19635
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19636
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.