Administrators are being warned – again – to make sure only necessary ports on network devices are open now that a new reflection technique for creating distributed denial of service attacks is becoming more common.
On Wednesday Akamai Technologies said in a report that someone or group is leveraging the Connection-less Lightweight Directory Access Protocol (CLDAP) through destination port 389 for powerful attacks. There’s no reason for that port to be open, Jose Arteaga, an Akamai threat researcher and co-author of a report on the discovery, said in an interview.
Thousands of hosts been used in recent attacks, including 376 in Canada, says Akamai. It says an Internet scan revealed there are over 78,000 hosts that could be used for CLDAP reflection attacks around the world, 2,207 of which are in Canada
The technique was first reported last October by Coreo Network Security.
Reflection attacks use compromised hosts to overwhelm a target Web site by bouncing huge numbers of queries from unsuspecting devices.
The CLDAP technique has an advantage: Unlike other reflection-type attacks, where compromised hosts may number in the millions, it has been able to produce attack bandwidth of over 1 Gpbs with significantly fewer hosts.
This is the 13th reflection-type attack Akamai has discovered on its network – attacks leveraging domain name servers (DNS) are most common – but already researchers think it will become the fifth most common used against the company’s customer base, Artega said.
Who is behind this style of attack is a mystery. “Attacks like Mirai are botnet attacks usually get attributed back to an author – there’s code associated with that malware, there’s ways to track it back for attribution,” said Artega. “Reflection-based attacks are harder to trace. It’s a spoofed query, and it’s fairly easy – almost no infrastructure from the attacker site” is needed. Queries can be sent from VPNs or Tor browsers, which can hide the creators.
Akamai has detected and mitigated 50 CLDAP reflection attacks since last October, 33 of which were single vector attacks using CLDAP reflection exclusively. A 24 Gbps attack on January 7 is currently the largest DDoS attack using the techniques the sole vector. The average bandwidth for CLDAP attacks has been 3 Gbps.
For whatever reason gaming Web sites are typically the most targeted for DDoS attacks, but Akamai says CLDAP attacks have primarily targeted software and technology companies. Other victims include Internet and telecom, media and entertainment, education, retail and consumer goods, and financial services firms.
CLDAP is an updated version of a Lightweight Directory Access Protocol (LDAP), a directory of users of a server. It was intended as an efficient alternative to LDAP queries over Transmission Control Protocol (TCO). According to Wireshark, CLDAP is most commonly encountered on Microsoft Active Directory networks where clients use it to retrieve server information.
“It’s perfectly suitable for an internal network … (but) there really shouldn’t be a need for CLDAP to be exposed on the Internet for normal Internet communications,” said Artega. Many Internet service providers filter for other protocols, but until CLDAP and others vulnerable to reflection are added the problem won’t go away, he said.