Corero Network Security, which offers defense solutions to take on distributed denial of service (DDoS) to service providers, hosting providers and online enterprises, disclosed what it says is a significant new zero-day DDoS attack vector observed for the first time against its customers last week. “The new technique is an amplification attack, which utilizes the Lightweight Directory Access Protocol (LDAP), one of the most widely used protocols for accessing username and password information in databases like Active Directory, which is integrated in most online servers,” the company says in a statement.
Corero’s reports its DDoS mitigation team has so far only observed a handful of short but mighty attacks against the company’s protected customers originating from this vector; but the technique could potentially inflict significant damage by leveraging an amplification factor seen at a peak of as much as 55x.
“This new vector may represent a substantial escalation in the already dangerous DDoS landscape, with potential for events that will make recent attacks that have been making headlines seem small by comparison,” Dave Larson, CTO/COO at Corero Network Security, explains. “When combined with other methods, particularly IoT botnets, we could soon see attacks reaching previously unimaginable scale, with far-reaching impact. Terabit scale attacks could soon become a common reality and could significantly impact the availability of the Internet – at least degrading it in certain regions.”
Corero explains it like this in a statement: The attacker sends a simple query to a vulnerable reflector supporting the Connectionless LDAP service (CLDAP) and using address spoofing makes it appear to originate from the intended victim. The CLDAP service responds to the spoofed address, sending unwanted network traffic to the attacker’s intended target. Amplification techniques are said to allow bad actors to intensify the size of their attacks, because the responses generated by the LDAP servers are much larger than the attacker’s queries. In this case, the LDAP service responses are capable of reaching very high bandwidth and we have seen an average amplification factor of 46x and a peak of 55x.
“LDAP is not the first, and will not be the last, protocol or service to be exploited in this fashion. Novel amplification attacks like this occur because there are so many open services on the Internet that will respond to spoofed record queries,” Larson notes. “However, a lot of these attacks could be eased by proper service provider hygiene, by correctly identifying spoofed IP addresses before these requests are admitted to the network. Specifically, following the best common practice, BCP 38, described in the Internet Engineering Task Force (IETF) RFC 2827, which describes router configurations that are designed to eliminate spoofed IP address usage by employing meaningful ingress filtering techniques, would reduce the overall problem of reflected DDoS by at least an order of magnitude.”
Larson further says that DDoS attacks are increasingly automated, meaning that attackers can switch vectors faster than a human can respond. He says the only effective defense against this type of DDoS attack vector requires automated mitigation techniques.