Corero Network Security observed three DDoS attacks on Friday and Saturday that exploited the LDAP protocol, one of which was 70 Gbps in size.
Corero Network Security observed three DDoS attacks on Friday and Saturday that exploited the LDAP protocol, one of which was 70 Gbps in size.

Corero Network Security today disclosed a zero-day distributed denial of service attack (DDoS) technique, observed in the wild, that is capable of amplifying malicious traffic by a factor of as much as 55x.

The DDoS defense firm made the announcement today, as investigators continued to probe a larger, IoT-device fueled DDoS attack that targeted DNS service provider Dyn last Friday, significantly disrupting Internet users.

Dave Larson, CTO and COO at Corero, told SCMagazine.com in an interview today that the firm detected three separate attacks last Friday and Saturday that generated traffic at a rate of 22, 28 and 70 Gbps, respectively. According to Corero, the attacks exploited the Lightweight Directory Access Protocol, or LDAP, a commonly used application protocol for accessing information from online servers. According to Corero, if future LDAP attacks were to leverage the Mirai botnet malware employed in the Dyn attack, malicious traffic could reach unprecedented bandwidth levels, perhaps as high as tens of terabits per second.

To execute the attack, a bad actor scans for servers with an open 389 port, which supports Connectionless LDAP-based data communication. The adversary then sends queries to these servers, using a spoofed IP address. The server will then send its voluminous response to that spoofed address, bombarding the recipient – the intended DDoS target – with heavy traffic. In the three instances Corero observed, this reflection-style attack had an average amplification factor of 46x, with a peak of 55x.

Larson said that the largest of the attacks (70 Gbps) was likely aided by a small botnet that generated a multitude of spoofed queries. “In order to get to that size, you need to leverage large number of LDAP servers. So it's not bouncing one request off of one server; it's sending out a myriad of requests to potentially many thousands of open LDAP servers,” said Larson.

The problem is, most servers on the open Internet should not be able to respond to LDAP requests, yet their firewalls are often configured to permit such data exchanges. “There's no legitimate reason that I can think of to keep port 389 open on the firewall. You should not be able to find it,” said Larson. “We need to improve our generic security hygiene and not leave services available on the Internet that don't need to be available on the Internet. LDAP-based queries should only be executed over a secure VPN connection, Larson added.

Larson also called on ISPs to employ network ingress filtering to detect incoming spoofed traffic, thus inhibiting DDoS attacks that rely on spoofed IP addresses.