DDoS attacks abusing exposed LDAP servers on the rise

A pair of advisories from Ixia and Akamai illustrate how DDoS attackers can abuse legitimate protocols to launch ever larger reflection attacks

DDoS attacks abusing exposed LDAP servers on the rise
Credit: Thinkstock

Each DDoS attack seem to be larger than the last, and recent advisories from Akamai and Ixia indicate that attackers are stepping up their game. As attackers expand their arsenal of reflection methods to target CLDAP (Connection-less Lightweight Directory Access Protocol) and BIND, expect to see even larger attacks this year.

Reflection attacks abuse legitimate protocols, such as NTP, DNS, and SNMP, to produce significantly large amounts of attack bandwidth. Attackers send a request to a third-party server using a spoofed IP address, and the server sends back a response (which is typically much larger in size). Since the IP address is spoofed, the response doesn't go to the original requester, but to the unsuspecting victim. Instead of building large botnets of millions of compromised hosts to launch a large attack, attackers can use a smaller number of systems to target exposed third-party servers.

CLDAP on the rise

CLDAP, a variant of LDAP that uses UDP (User Datagram Protocol) for transport, is the latest technology being abused by DDoS attackers, according to an advisory by Akamai's Security Intelligence Response Team. The CLDAP reflection method amplifies responses 50 times the size of the initial request on average, and it can be used to consistently produce attack traffic exceeding 1Gbps. Akamai said it has detected and mitigated 50 CLDAP reflection attacks since October, of which 33 were single-vector attacks using CLDAP reflection exclusively.

According to Akamai's statistics, more than 60 percent of DDoS attacks in the first half of 2016 were multivector attacks, so the fact that attackers are consistently hitting large traffic bandwidth without having to combine with other attack methods is a bad sign. Single-vector CLDAP reflection attacks are bad enough, but multivector operations where the attackers combine CLDAP reflection with other methods, such as DNS amplification and direct TCP floods, could be catastrophic for organizations that can't absorb large DDoS attacks. While the average CLDAP reflection attack is about 3Gbps, the largest attack to date was a single-vector 24Gbps attack launched in January against a telecommunications company, Akamai said.

Akamai found a total of 7,629 unique CLDAP reflectors used in attacks, with the largest concentration found in the United States. These are CLDAP systems actually used in attacks; an internet-wide scan for hosts vulnerable to CLDAP reflection abuse found 78,531 unique systems that were exposed. Almost any CLDAP system could be abused this way, as Akamai found that 78,071 of those hosts responded with more than 1,500 bytes of data to an initial query of 52 bytes.

"Unless there is a legitimate need for an organization to have CLDAP available over the internet, there should be no reason to compound the DDoS reflection problem by exposing this protocol," said Akamai researchers Jose Arteaga and Wilber Majia.

Attackers would not be able to find servers to abuse in amplification attacks if network administrators did a better job of ingress filtering, Akamai SIRT warned in its advisory. If administrators performed ingress filtering of the CLDAP port from the internet, attackers would not be able to scan the internet and generate a list of systems with UDP port 389 open and listening. Security teams can also apply an alerting rule to the network's intrusion detection system to alert of an attempt to use the server as part of a CLDAP reflection attack.

"More than 50 percent of all attacks are consistently comprised of UDP-based reflection attacks," Akamai's Arteaga said. "Based on similarities shared with UDP reflection attack scripts, CLDAP has likely been included, or will be included, into a full attack script, and integrated into the booter/stresser infrastructure. If it has yet to be included, we may not have seen the worst of these attacks."

BIND vulnerability in DNS

Akamai's report comes on the heels of another advisory by networking company Ixia about a vulnerability in BIND's recursive DNS resolver that could be abused to allow reflection attacks through root DNAME query responses. Oana Murarasu, a security software engineer with Ixia's Application and Threat Intelligence research team, found that the attack generated responses 10 or more times larger than the initial query. "For every 1 megabit of traffic sent [to the resolver], 10 megabits is sent to the victim," Murarasu said.

DNAME responses are used to append or change the target domain of a query, so a domain owner can specify a new target, such as replacing example.com with example.net if the query is looking for foobar.example.com, creating a new CNAME record of foobar.example.net, Murarasu said. While this lets administrators easily manage multiple domains to redirect clients to the same resource, using loops and pointers creates issues. A specially crafted DNAME Resource Record could cause the recursive server to build a response size exceeding 1,000 bytes.

Abusing the vulnerability could generate a "DDoS wildfire," Ixia's Murarasu said. It's also easy for attackers to find BIND servers that can be abused because all they have to do is set up a malicious nameserver to send a response and scan the internet for nameservers that respond with a large query.

"Always make sure you are not running a recursive name server on the public internet. You will be abused," Ixia warned. If the server has to be on the internet, Ixia recommends searching for the pattern 00 00 27 00 001 in the answer section of a DNS response. Administrators should also be using access control lists to ensure only permitted hosts case use the recursive server.

The Internet Systems Consortium (ISC), which manages BIND, told Ixia that the vulnerability was a "protocol design flaw and not a flaw in BIND." Separately, ISC updated BIND to patch three other denial-of-service vulnerabilities that could be exploited remotely; the new versions are BIND 9.9.-P8, 9.10.4-P8, and 9.11.0-P5. The most serious flaw, with a "high" severity rating, mainly affects recursive resolvers (CVE-2017-3137). The "medium" severity issue (CVE-2017-3136) affects servers configured to use DNS64 with the "break-dnssec yes;" option enabled. The final flaw (CVE-2017-3138) can be exploited remotely from hosts that are allowed access to the control channel.

Expect more reflection attacks

DDoS attacks typically target the gaming industry since players rely on connectivity and performance to access their games, but Akamai observed that CLDAP attacks primarily targeted the software and technology industry. Attackers are increasingly using DDoS attacks against other targets, and IT teams have to consider DDoS attacks as part of their capacity planning. The middle of a DDoS attack is not the time to figure out how to beat one.