Corero Network Security has unveiled a new DDoS attacker that was first seen against its customers last week. The company reports that the attackers used a new support technique that uses Lightweight Directory Access Protocol (LDAP): one of the most widely used protocols for accessing user name and password in databases such as Active Directory, which is built into most online servers.
Experts observed minimal, short but extremely powerful attacks from this organization. The new technique has the potential to cause significant damage by using an amplification factor that increases the size of the 55 times attacks. So in terms of its dynamic scale, if combined with the IoT botnet used in the recent assault against Brian Krebs and Dyn, we could soon see new recordings in the DDoS attack landscape, since it will be able to reach sizes dozens of terabits per second.
The landscape of DDoS has been extremely volatile over the past few weeks, notably with the release of the Mirai botnet code that can infect IoT devices.
"This new player may represent a significant escalation in the already dangerous DDoS landscape, with possibilities for events that will make the recent headline attacks seem very small in comparison. When combined with other methods, especially IoT botnets, we could soon see attacks reaching scales that in the past seemed impossible. "Terabit-scale attacks could soon become a reality and could significantly affect Internet availability in some areas," said Dave Larson, CTO / COO of Corero Network Security.
How does the enhanced DDoS attack work?
The attacker sends a simple query to a vulnerable reflector that supports the Connectionless LDAP (CLDAP) service, using the victim's IP address. The CLDAP service responds to the forged address, and starts sending unwanted traffic to the target intruder's target.
Enhancement techniques allow malicious users to increase the magnitude of their attacks because the responses generated by the LDAP servers are much larger than the attacker's queries. In this case, LDAP responses are able to achieve very high bandwidth, so the average of the boost factor reaches 46x and at peak times 55x.
Dave Larson explains:
"LDAP is not the first, nor the last protocol or service that can be utilized in this way. Attacks with new aids often occur because there are so many open services on the internet that answer fake questions. However, many of these attacks can be mitigated by the service provider by correctly identifying the forged IP addresses before these requests are accepted on the network. In particular, the use of best practice, BCP 38, described as the Internet Engineering Task Force (IETF) RFC 2827, can eliminate the use of forged IP addresses using substantial inbound filtering techniques. ”