H Corero Network Security αποκάλυψε ένα νέο φορέα επίθεσης DDoS που παρατηρήθηκε για πρώτη φορά σε βάρος των πελατών της, την περασμένη εβδομάδα. Η εταιρεία αναφέρει ότι οι επιτιθέμενοι χρησιμοποιούσαν μια νέα τεχνική ενίσχυσης, η οποία χρησιμοποιεί το Lightweight Directory Access Protocol (LDAP): ένα από τα πιο ευρέως χρησιμοποιούμενα πρωτόκολλα για την πρόσβαση στο όνομα χρήστη και τον code πρόσβασης σε βάσεις δεδομένων όπως το Active Directory, το οποίο είναι ενσωματωμένο στους περισσότερους online servers.
Experts observed minimal, short but extremely powerful attacks from this organization. The new technique has the potential to cause significant damage by using an amplification factor that increases the size of the 55 times attacks. So in terms of its dynamic scale, if combined with the IoT botnet used in the recent assault against Brian Krebs and Dyn, we could soon see new recordings in the DDoS attack landscape, since it will be able to reach sizes dozens of terabits per second.
The landscape of DDoS has been extremely volatile over the past few weeks, notably with the release of the Mirai botnet code that can infect IoT devices.
"This new player may represent a significant escalation in the already dangerous DDoS landscape, with possibilities for events that will make the recent headline attacks seem very small in comparison. When combined with other methods, especially IoT botnets, we could soon see attacks reaching scales that in the past seemed impossible. "Terabit-scale attacks could soon become a reality and could significantly affect Internet availability in some areas," said Dave Larson, CTO / COO of Corero Network Security.
How does the enhanced DDoS attack work?
The attacker sends a simple query to a vulnerable reflector that supports the Connectionless LDAP (CLDAP) service, using the victim's IP address. The CLDAP service responds to the spoofed address, and begins sending spam traffic to network to the attacker's intended target.
Enhancement techniques allow malicious users to increase the magnitude of their attacks because the responses generated by the LDAP servers are much larger than the attacker's queries. In this case, LDAP responses are able to achieve very high bandwidth, so the average of the boost factor reaches 46x and at peak times 55x.
Dave Larson explains:
"LDAP is not the first, nor the last protocol or service that can be exploited in this way. New reinforcement attacks happen frequently because there are so many open services on the internet that respond to spoofed queries. However, many of these attacks can be mitigated by the carrier supply services by correctly identifying spoofed IP addresses before those requests are accepted into the network. Specifically, using the best common practice, BCP 38, described as Internet Engineering Task Force (IETF) RFC 2827, can eliminate the use of spoofed IP addresses by using effective ingress filtering techniques.”
