News Stay informed about the latest enterprise technology news and product updates.

CLDAP reflection attacks may be the next big DDoS technique

Security researchers discovered a new reflection attack method using CLDAP that can be used to generate destructive but efficient DDoS campaigns.

DDoS campaigns have been growing to enormous sizes and a new method of abusing CLDAP for reflection attacks could...

allow malicious actors to generate large amounts of DDoS traffic using fewer devices.

Jose Arteaga and Wilber Mejia, threat researchers at Akamai, identified attacks in the wild that used the Connection-less Lightweight Directory Access Protocol (CLDAP) to perform dangerous reflection attacks.

"Since October 2016, Akamai has detected and mitigated a total of 50 CLDAP reflection attacks. Of those 50 attack events, 33 were single vector attacks using CLDAP reflection exclusively," Arteaga and Mejia wrote. "While the gaming industry is typically the most targeted industry for [DDoS] attacks, observed CLDAP attacks have mostly been targeting the software and technology industry along with six other industries."

The CLDAP reflection attack method was first discovered in October 2016 by Corero Network Security and at the time it was estimated to be capable of amplifying the initial response to 46 to 55 times the size, meaning far more efficient reflection attacks using fewer sources.

The largest attack recorded by Akamai using CLDAP reflection as the sole vector saw one payload of 52 bytes amplified to as much as 70 times the attack data payload (3,662 bytes) and a peak bandwidth of 24Gbps and 2 million packets per second.

This is much smaller than the peak bandwidths of more than 1Tbps seen with Mirai, but Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., said this amplification factor can allow "a user with low bandwidth [to] DDoS an organization with much higher bandwidth."

"CLDAP, like DNS DDoS, is an amplification DDoS. The attacker has relatively limited bandwidth. By sending a small message to the server and spoofing the source, the server responds to the victim with a much larger response," Williams told SearchSecurity. "You can only effectively spoof the source of connectionless protocols, so CLDAP is obviously at risk."

Arteaga and Mejia said enterprises could limit these kinds of reflection attacks fairly easily by blocking specific ports.

"Similarly to many other reflection and amplification attack vectors, this is one that would not be possible if proper ingress filtering was in place," Arteaga and Mejia wrote in a blog post. "Potential hosts are discovered using internet scans, and filtering User Datagram Protocol destination port 389, to eliminate the discovery of another potential host fueling attacks."

Williams agreed that ingress filtering would help and noted that "CLDAP was officially retired from being on the IETF standards track in 2003" but enterprises using Active Directory need to be aware of the threat.

"Active Directory supports CLDAP and that's probably the biggest reason you'll see a CLDAP server exposed to the internet," Williams said. "Another reason might be email directory services, though I suspect that is much less common."

Next Steps

Learn how securing DNS resolvers can prevent DNS amplification attacks.

Find out why more DNS DDoS reflection attacks use SSDP instead of NTP.

Get info on how to select the right DDoS prevention products.

Dig Deeper on DDoS attack detection and prevention

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What steps do you take to prevent systems from being used in a reflection and amplification DDoS attack?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close