Security researchers discovered a new reflection attack method using CLDAP that can be used to generate destructive but efficient DDoS campaigns.
DDoS campaigns have been growing to enormous sizes and a new method of abusing CLDAP for reflection attacks could allow malicious actors to generate large amounts of DDoS traffic using fewer devices.
Jose Arteaga and Wilber Majia, threat researchers for Akamai, identified attacks in the wild that used the Connection-less Lightweight Directory Access Protocol(CLDAP) to perform dangerous reflection attacks.
“Since October 2016, Akamai has detected and mitigated a total of 50 CLDAP reflection attacks. Of those 50 attack events, 33 were single vector attacks using CLDAP reflection exclusively,” Arteaga and Majia wrote. “While the gaming industry is typically the most targeted industry for [DDoS] attacks, observed CLDAP attacks have mostly been targeting the software and technology industry along with six other industries.”
The CLDAP reflection attack method was first discovered in October 2016 by Corero and at the time it was estimated to be capable of amplifying the initial response to 46 to 55 times the size, meaning far more efficient reflection attacks using fewer sources.
The largest attack recorded by Akamai using CLDAP reflection as the sole vector saw one payload of 52 bytes amplified to as much as 70 times the attack data payload (3,662 bytes) and a peak bandwidth of 24Gbps and 2 million packets per second.
This is much smaller than the peak bandwidths of more than 1Tbps seen with Mirai, but Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., said this amplification factor can allow “a user with low bandwidth [to] DDoS an organization with much higher bandwidth.”
“CLDAP, like DNS DDoS, is an amplification DDoS. The attacker has relatively limited bandwidth. By sending a small message to the server and spoofing the source, the server responds to the victim with a much larger response,” Williams told SearchSecurity. “You can only effectively spoof the source of connectionless protocols, so CLDAP is obviously at risk.”
Arteaga and Majia said enterprises could limit these kinds of reflection attacks fairly easily by blocking specific ports.
“Similarly to many other reflection and amplification attack vectors, this is one that would not be possible if proper ingress filtering was in place,” Arteaga and Majia wrote in a blog post. “Potential hosts are discovered using internet scans, and filtering User Datagram Protocol destination port 389, to eliminate the discovery of another potential host fueling attacks.”
Williams agreed that ingress filtering would help and noted that “CLDAP was officially retired from being on the IETF standards track in 2003” but enterprises using Active Directory need to be aware of the threat.
“Active Directory supports CLDAP and that’s probably the biggest reason you’ll see a CLDAP server exposed to the internet,” Williams said. “Another reason might be email directory services, though I suspect that is much less common.”