The Corero Network Security αποκάλυψε ένα νέο φορέα επίθεσης DDoS που παρατηρήθηκε για πρώτη φορά σε βάρος των πελατών της, την περασμένη εβδομάδα. Η εταιρεία αναφέρει ότι οι επιτιθέμενοι χρησιμοποιούσαν μια νέα τεχνική ενίσχυσης, η οποία χρησιμοποιεί το Lightweight Directory Access Protocol (LDAP): ένα από τα πιο ευρέως χρησιμοποιούμενα πρωτόκολλα για την πρόσβαση στο όνομα χρήστη και τον κωδικό πρόσβασης σε βάσεις δεδομένων όπως το Active Directory, το οποίο είναι ενσωματωμένο στους περισσότερους online servers.
Experts observed minimal, short but extremely powerful attacks from this organization. The new technique has the potential to cause significant damage by using an amplification factor that increases the size of the 55 times attacks. So in terms of its dynamic scale, if combined with the IoT botnet used in the recent assault against Brian Krebs and Dyn, we could soon see new recordings in the DDoS attack landscape, since it will be able to reach sizes dozens of terabits per second.
The landscape of DDoS has been extremely volatile over the past few weeks, notably with the release of the Mirai botnet code that can infect IoT devices.
"This new player may represent a significant escalation in the already dangerous DDoS landscape, with possibilities for events that will make the recent headline attacks seem very small in comparison. When combined with other methods, especially IoT botnets, we could soon see attacks reaching scales that in the past seemed impossible. "Terabit-scale attacks could soon become a reality and could significantly affect Internet availability in some areas," said Dave Larson, CTO / COO of Corero Network Security.
How does the enhanced DDoS attack work?
The attacker sends a simple query to a vulnerable reflector that supports the Connectionless LDAP (CLDAP) service, using the victim's IP address. The CLDAP service responds to the forged address, and starts sending unwanted traffic to the target intruder's target.
Enhancement techniques allow the malicioususers to increase the size of their attacks because the responses produced by LDAP servers are much larger than the attacker's queries. In this case, the responses of the LDAP service are able to achieve very high bandwidth, so the average amplification factor reaches 46x and during peak hours 55x.
Dave Larson explains:
"LDAP is not the first, nor the last protocol or service that can be exploited in this way. Attacks with new reinforcements happen often, because there are so many open services in the Internet that respond to the forged queries. However, many of these attacks can be mitigated by the service provider by correctly identifying spoofed IP addresses before these requests accepted on the network. Specifically, using the best common practice, BCP 38, described as Internet Engineering Task Force (IETF) RFC 2827, can eliminate the use of spoofed IP addresses by using effective ingress filtering techniques.”
