LDAP Attack Vector Makes Terabit-Scale DDoS Attacks Possible

A new zero-day distributed denial of service (DDoS) attack vector could open the flood gates for terabit-scale DDoS events, researchers at Corero Network Security warn.

The new zero-day attack vector has been already observed in a live incident and relies on the Lightweight Directory Access Protocol (LDAP) protocol, which is used for accessing username and password information in databases like Active Directory. By leveraging amplification, cybercriminals can inflict significant damage to their targets, the security researchers say.

According to Corero, the technique could be used to leverage an amplification factor of 46x, but which could peak at 55x. The security company also explains that an attacker could send a simple query to a vulnerable reflector supporting the Connectionless LDAP service (CLDAP). The use of address spoofing would result in the query appearing to originate from the intended victim.

Because the CLDAP service would respond to the spoofed address, unwanted network traffic would be immediately sent to the attacker’s intended target. What’s more, the use of amplification techniques would allow actors to intensify the size of attacks, because the LDAP servers generate responses much larger than the attacker’s queries.

“In this case, the LDAP service responses are capable of reaching very high bandwidth and we have seen an average amplification factor of 46x and a peak of 55x,” the security company says. The CLDAP zero-day vulnerability has been observed leveraged in short but powerful attacks last week, and is expected to influence the landscape in a way that recent large-scale incidents would seem small.

The use of this technique in live attacks could result in incidents that peak at tens of terabits per second in size, the security researchers say. Such attacks would be possible if this zero-day DDoS attack vector is combined with the power of Internet of Things botnets such as Mirai, which was recently used in a 655 Gbps attack against Brian Krebs’s website.

With the Mirai source code released online and hundreds of thousands of Internet of Things (IoT) devices found vulnerable to it, the number of attacks leveraging the botnet has increased and the DDoS landscape could become even more volatile in the foreseeable future, researchers say. In fact, Mirai has been already used in an attack against DNS provider Dyn.

“When combined with other methods, particularly IoT botnets, we could soon see attacks reaching previously unimaginable scale, with far-reaching impact. Terabit scale attacks could soon become a common reality and could significantly impact the availability of the Internet– at least degrading it in certain regions,” Dave Larson, CTO/COO at Corero Network Security, explains.

Because today’s DDoS attacks are increasingly automated, attackers can switch vectors faster than any human can respond, Larson also said. Thus, automated mitigation techniques are required to effectively protect networks against this type of DDoS attack vector. The short duration and high volume attacks will make it impossible for legacy solutions to identify and properly mitigate such incidents, he added.

Related: What's the Fix for IoT DDoS Attacks?

view counter
image
Ionut Arghire is an international correspondent for SecurityWeek.
Previous Columns by Ionut Arghire:
Tags:
Original author: Ionut Arghire