Corero recently discovered a new type of DDoS amplification attack that uses connectionless LDAP. How does this...
new attack work and what can enterprises do about it?
DDoS attacks are growing and both the techniques and the size of the attacks expanding. We'll see zero-day DDoS attacks abuse new protocols which will allow them to get the jump on many mitigation services. The latest protocol being abused is a type of LDAP called CLDAP. The C in CLDAP stands for connectionless, and it's using User Datagram Protocol (UDP) for transport. The reason why attackers love UDP in DDoS attacks is because it doesn't validate the source of the sender and attackers abuse this feature.
At this point, attackers spoof traffic to the CLDAP protocol server with the address that they're looking to attack as the source address. Since UDP never validates that the source address is the one that actually sent the request, it dutifully sends back the packets to the address which it thinks originated it. This not only hides the attacker, but they also don't have to build a botnet. These CLDAP protocol servers are doing exactly what they're supposed to do, except the requests are spoofed. That's what's meant by a reflection attack when it comes to DDoS. The attackers have other servers bounce the requests they're sending to the victim in the spoofed source.
The CLDAP protocol also allows for DDoS amplification attacks. This means the response to the request is larger than the original source of the request. Corero said that the amplification of a CLDAP protocol response back to the spoofed victim is between 46 to 55 times the size of the initial response. So, not only are the spoofed requests flooding the victim servers, but they're hitting it with data that's orders of magnitude larger than what it was given. This allows attackers to ramp up traffic very fast and have large amounts of data to crush a victim's system.
Another thing to consider here: The systems running the CLDAP protocol and are accessible over the internet. These systems are used for authentication and are normally used internally. Despite best practices, they are exposed to the internet and it causes the world of DDoS attacks to continue to grow. Also, it's likely that these servers have quite a bit more bandwidth and hardware behind them than your normal bot on a workstation.
Ask the Expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Learn how to prevent DDoS attacks that bypass DNS rerouting
Discover why the DDoS threat cannot be ignored
Find out why DDoS defense planning often falls short
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Matthew Pascucci
Troubleshooting VPN session timeout and lockout issues should focus first on isolating where the root of the problem lies -- be it the internet ... Continue Reading
What sets web roles and worker roles apart in Microsoft's Azure Cloud Services? Here's a look at how they are different. Continue Reading
Container security continues to be a pressing issue as containers and hosts are being used more frequently. Learn how to keep your enterprise safe ... Continue Reading