Network Security, Incident Response, Network Security, TDR

Zero-day DDoS attack vector leverages LDAP to amplify malicious traffic

Corero Network Security today disclosed a zero-day distributed denial of service attack (DDoS) technique, observed in the wild, that is capable of amplifying malicious traffic by a factor of as much as 55x.

The DDoS defense firm made the announcement today, as investigators continued to probe a larger, IoT-device fueled DDoS attack that targeted DNS service provider Dyn last Friday, significantly disrupting Internet users.

Dave Larson, CTO and COO at Corero, told in an interview today that the firm detected three separate attacks last Friday and Saturday that generated traffic at a rate of 22, 28 and 70 Gbps, respectively. According to Corero, the attacks exploited the Lightweight Directory Access Protocol, or LDAP, a commonly used application protocol for accessing information from online servers. According to Corero, if future LDAP attacks were to leverage the Mirai botnet malware employed in the Dyn attack, malicious traffic could reach unprecedented bandwidth levels, perhaps as high as tens of terabits per second.

To execute the attack, a bad actor scans for servers with an open 389 port, which supports Connectionless LDAP-based data communication. The adversary then sends queries to these servers, using a spoofed IP address. The server will then send its voluminous response to that spoofed address, bombarding the recipient – the intended DDoS target – with heavy traffic. In the three instances Corero observed, this reflection-style attack had an average amplification factor of 46x, with a peak of 55x.

Larson said that the largest of the attacks (70 Gbps) was likely aided by a small botnet that generated a multitude of spoofed queries. “In order to get to that size, you need to leverage large number of LDAP servers. So it's not bouncing one request off of one server; it's sending out a myriad of requests to potentially many thousands of open LDAP servers,” said Larson.

The problem is, most servers on the open Internet should not be able to respond to LDAP requests, yet their firewalls are often configured to permit such data exchanges. “There's no legitimate reason that I can think of to keep port 389 open on the firewall. You should not be able to find it,” said Larson. “We need to improve our generic security hygiene and not leave services available on the Internet that don't need to be available on the Internet. LDAP-based queries should only be executed over a secure VPN connection, Larson added.

Larson also called on ISPs to employ network ingress filtering to detect incoming spoofed traffic, thus inhibiting DDoS attacks that rely on spoofed IP addresses.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.