The attacker makes a query look like it was initiated by the victim
The attacker makes a query look like it was initiated by the victim

More than 400 DDoS attacks taking advantage of misconfigured LDAP servers have been spotted by security researchers.

CLDAP DDoS attacks use an amplification technique, which takes advantage of the Connectionless Lightweight Directory Access Protocol (CLDAP): LDAP is one of the most widely used protocols for accessing username and password information in databases like Active Directory, which is integrated in many online servers. When an Active Directory server is incorrectly configured and exposes the CLDAP service to the Internet it is vulnerable to be leveraged to perform DDoS attacks.

Since its discovery in October 2016, researchers at Corero Network Security have observed a total of 416 CLDAP DDoS attacks, most of which are hosting and internet service providers. The largest attack volume recorded was 33 Gbps, with an average volume of 10 Gbps. The attacks averaged 14 minutes long in duration.  

“These powerful short duration attacks are capable of impacting service availability, resulting in outages, or acting as a smoke screen for other types of cyber-attacks, including those intended for breach of personally identifiable data,” said Stephanie Weagle, vice president of marketing at Corero Network Security, in a blog post.

Stephen Gates, chief research intelligence analyst from NSFOCUS, told SC Media UK that in the quest to find new means of launching DDoS attacks, hackers have once again found open devices on the Internet running weak protocols that can be exploited for their personal gain. 

“However, like any other reflective DDoS attack campaign, the number of available reflectors is of critical importance.  In addition, the amplification factor those reflectors afford is the second stipulation,” he said.

“In this case, the number of open devices on the Internet running CLDAP is relatively small, in comparison to open DNS and NTP reflectors; yet the amplification factor is respectable (~70x).  Surely, this attack technique is new, but it is not the worse seen so far.  This vector will likely be used in combination with other reflective attack techniques, and rarely used on its own.   Until the world's service providers fully implement BCP-38, similar discoveries and resulting campaigns will continue to plague us all.”

Bogdan Botezatu, senior E-Threat analyst at Bitdefender, told SC that a CLDAP attack is designed around third parties: an entity running a misconfigured instance of CLDAP, a victim and an attacker.

“The attacker would ask the CLDAP infrastructure to retrieve all the users registered in the Active Directory. Because the attacker makes this query look like it was initiated by the victim by replacing the originating IP address with the victim's, the CLADP service will actually send the answer to the victim,” he said.

“Subsequently, the victim finds itself being bombarded with the information they did not request. If the attacker can harness enough power, the victim's infrastructure will crash under a load of unsolicited information.”

He said that organisations could deploy strong, restrictive firewall policies for inbound traffic. “Load balancing and specialised hardware can also help organisations absorb the impact,” said Botezatu.