Vladislav Kochelaevs - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How does the CLDAP protocol DDoS amplification attack work?

DDoS amplification attacks that use the CLDAP protocol are a new threat to enterprises. Expert Matthew Pascucci explains how they work and how enterprises can protect themselves.

Corero recently discovered a new type of DDoS amplification attack that uses connectionless LDAP. How does this...

new attack work and what can enterprises do about it?

DDoS attacks are growing and both the techniques and the size of the attacks expanding. We'll see zero-day DDoS attacks abuse new protocols which will allow them to get the jump on many mitigation services. The latest protocol being abused is a type of LDAP called CLDAP. The C in CLDAP stands for connectionless, and it's using User Datagram Protocol (UDP) for transport. The reason why attackers love UDP in DDoS attacks is because it doesn't validate the source of the sender and attackers abuse this feature.

At this point, attackers spoof traffic to the CLDAP protocol server with the address that they're looking to attack as the source address. Since UDP never validates that the source address is the one that actually sent the request, it dutifully sends back the packets to the address which it thinks originated it. This not only hides the attacker, but they also don't have to build a botnet. These CLDAP protocol servers are doing exactly what they're supposed to do, except the requests are spoofed. That's what's meant by a reflection attack when it comes to DDoS. The attackers have other servers bounce the requests they're sending to the victim in the spoofed source.

The CLDAP protocol also allows for DDoS amplification attacks. This means the response to the request is larger than the original source of the request. Corero said that the amplification of a CLDAP protocol response back to the spoofed victim is between 46 to 55 times the size of the initial response. So, not only are the spoofed requests flooding the victim servers, but they're hitting it with data that's orders of magnitude larger than what it was given. This allows attackers to ramp up traffic very fast and have large amounts of data to crush a victim's system.

Another thing to consider here: The systems running the CLDAP protocol and are accessible over the internet. These systems are used for authentication and are normally used internally. Despite best practices, they are exposed to the internet and it causes the world of DDoS attacks to continue to grow. Also, it's likely that these servers have quite a bit more bandwidth and hardware behind them than your normal bot on a workstation.

Ask the Expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn how to prevent DDoS attacks that bypass DNS rerouting

Discover why the DDoS threat cannot be ignored

Find out why DDoS defense planning often falls short

This was last published in December 2016

Dig Deeper on Emerging cyberattacks and threats