Q
Problem solve Get help with specific problems with your technologies, process and projects.

How can a DDoS reflection attack abuse CLDAP?

A new exploit of CLDAP servers can be used for a DDoS reflection attack that gives attackers a 70x boost. Nick Lewis explains how to defend against this new threat.

Akamai researchers discovered the Connectionless Lightweight Directory Access Protocol being increasingly used...

in reflection attacks, a method which enables DDoS campaigns to be carried out more efficiently. What are the benefits of using CLDAP, and how can the attacks be mitigated?

Researchers at content delivery network giant Akamai Technologies Inc. recently identified an emerging distributed denial-of-service (DDoS) reflection attack that exploits CLDAP, the connectionless version of the Lightweight Directory Access Protocol (LDAP).

CLDAP uses the connectionless User Datagram Protocol (UDP) transport layer protocol rather than the connection-oriented Transmission Control Protocol that LDAP uses. Both protocols are used to assign IP addresses to new hosts connecting to a network, and attackers can use compromised servers to generate a massive number of CLDAP requests to overwhelm a target.

The new CLDAP DDoS reflection attack has an amplification factor of up to 70x, making it one of the most effective UDP protocols for abuse.

Defending against DDoS reflection attacks often requires a multipronged effort, and it can take many different parties across the internet to effectively manage the threat from such attacks. DDoS attacks often involve externalities that can be very difficult for enterprises to manage, and cooperation between all the involved parties may be necessary to mitigate these attacks.

Enterprises can implement DDoS mitigation tools and services to protect against DDoS reflection attacks, but that's not all they should do to prevent them. They should also ensure none of their systems are exploited for use in DDoS attacks. Manufacturers also need to take steps to ensure that the devices they offer have minimal security controls.

Implementing minimal security controls means disabling any functionality that is not necessary for internet-exposed systems. Servers for domain name systems (DNS), Network Time Protocol (NTP) or other internet protocols should be disabled if they are unrelated to the system's core function; doing so can prevent the device from being used in a DDoS reflection attack.

Enterprises can also protect systems that provide frequently abused services, like DNS or NTP, to client systems by firewalling them from the internet. Internet-facing services can also be protected by implementing rate limiting or another outbound protection method, such as those described in the Internet Engineering Task Force's Best Current Practice No. 38 document, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing."

Mitigation of this reflection attack begins with understanding the CLDAP protocol, as well as answering the question of why an enterprise would have a CLDAP or LDAP server, which is used to assign IP addresses to hosts on a local network, accessible directly from the internet. The most effective mitigation may be to block access to LDAP servers from the internet.

Next Steps

Find out how to avoid getting spoofed by DDoS attacks

Learn how to prevent internet hijacking

Read what differentiates a reflected denial-of-service attack

This was last published in September 2017

Dig Deeper on DDoS attack detection and prevention

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your incident response plan suggest handling a CLDAP DDoS reflection attack?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close