14 DAY TRIAL // DDoS protection and mitigation outfit Corero says it detected DDoS attacks that leveraged LDAP servers to amplify DDoS attacks 46 times, on average, and up to 55 times at peak conditions.
The company says the attacks took aim at one of its customers. A further investigation of the incident revealed that the attacking group used a novel technique to flood the target with junk traffic, leveraging the LDAP protocol, an avenue not leveraged before in other attacks.
After studying how the attackers utilized LDAP servers, Corero says it identified a zero-day in CLDAP (Connection-less Lightweight Directory Access Protocol), the LDAP protocol implementation used with Active Directory, a service that Microsoft developed for Windows domain networks and included in all Windows Server OS distributions.
LDAP allows for DDoS attack reflection and amplification
In this case, attackers used vulnerable servers supporting CLDAP to bounce junk traffic to their targets, a technique known as DDoS reflection attacks.
Attackers sent queries to the server's LDAP service port, but altered the sender's IP address, adding the victim's IP. After the server had processed the query, it prepared and sent a reply to the sender's IP, which in this case, was the victim's computer.
This is the basic principle of a reflection DDoS attack. Unfortunately, the LDAP attack vector is also subject to amplification.
The reply which the LDAP server had prepared was many times the size of the original query. Corero says that during the observed attack, the reply's size, called DDoS amplification factor, was of 46, on average, but also reached 55 during the attack's peak.
LDAP outdone by TFTP
DDoS attack reflection and amplification are a general practice. The most common reflection and amplification methods are protocols such as DNS, NTP, or SMTP.
In the past year, security researchers have discovered additional protocols susceptible to reflection and amplification attacks, such as NetBIOS, RPC, Sentinel, DNSSEC, and TFTP. Of these, most have low amplification factors, except TFPT, which boasts a factor of 60.
The recent DDoS attacks on OVH, Dyn, and the KrebsOnSecurity blogs that caught the media's eye due to their large size were simple DDoS attacks that flung junk traffic directly at a target without reflection or authentication. Despite the low level of sophistication these attacks exhibited, attackers managed to direct between 620 Gbps and 1.1 Tbps at their targets.
If the botnets responsible for these attacks would have used LDAP for reflection and amplification, the attacks could have very easily surpassed tens of Tbps, a scenario that Corero sees possible in the near future.