Corero Network Security has revealed a new DDoS attack vector first seen targeting its customers last week. THE company αναφέρει ότι οι επιτιθέμενοι χρησιμοποιούσαν μια νέα τεχνική ενίσχυσης, η οποία χρησιμοποιεί το Lightweight Directory Access Protocol (LDAP): ένα από τα πιο ευρέως χρησιμοποιούμενα πρωτόκολλα για την πρόσβαση στο όνομα χρήστη και τον κωδικό πρόσβασης σε βάσεις δεδομένων όπως το Active Directory, το οποίο είναι ενσωματωμένο στους περισσότερους online servers.
Experts observed few, short but extremely powerful attacks coming from this carrier. The new technique has the potential to cause significant damage by using an enhancement agent that increases the size of the cells attacks 55 φορές. Έτσι από την άποψη της δυναμικής της κλίμακα, αν συνδυαστεί με του IoT botnet που χρησιμοποιήθηκε στην πρόσφατη επίθεση εναντίον του Brian Krebs and Dyn, we could soon see new records in the landscape of DDoS attacks, with the potential to reach tens of terabits per second.
The landscape of DDoS has been extremely volatile over the past few weeks, notably with the release of the Mirai botnet code that can infect IoT devices.
“This new actor may represent a significant escalation in the already dangerous DDoS landscape, with potential for events that will make recent headline-grabbing attacks seem minuscule in comparison. When combined with other methods, particularly IoT botnets, we could soon see attacks reaching scales previously thought impossible. Terabit-scale attacks could soon become a reality and could significantly impact Internet availability in some regions,” said Dave Larson, CTO/COO of Corero Network Security.
How does the enhanced DDoS attack work?
The attacker sends a simple query to a vulnerable reflector that supports the Connectionless LDAP (CLDAP) service, using the victim's IP address. The CLDAP service responds to the forged address, and starts sending unwanted traffic to the target intruder's target.
Enhancement techniques allow malicious users to increase the magnitude of their attacks because the responses generated by the LDAP servers are much larger than the attacker's queries. In this case, LDAP responses are able to achieve very high bandwidth, so the average of the boost factor reaches 46x and at peak times 55x.
Dave Larson explains:
"LDAP is not the first, nor the last protocol or service that can be utilized in this way. Attacks with new aids often occur because there are so many open services on the internet that answer fake questions. However, many of these attacks can be mitigated by the service provider by correctly identifying the forged IP addresses before these requests are accepted on the network. In particular, the use of best practice, BCP 38, described as the Internet Engineering Task Force (IETF) RFC 2827, can eliminate the use of forged IP addresses using substantial inbound filtering techniques. ”
