New DDoS Attacks Use Far Fewer Infected Hosts, Target Education

• By Dian Schaffhauser
• 04/20/17

Akamai Technologies has identified a new attack method generating extremely large distributed denial of service (DDoS) attacks against educational institutions and other types of organizations but without the millions of infected hosts typically seen in these scenarios. In a threat advisory recently published by the content delivery network company's security intelligence response team, researchers described a reflection and amplification method that can produce "significant attack bandwidth" through "significantly fewer hosts." What's required are open ports allowing LDAP traffic.

The company's security experts have detected and mitigated a total of 50 Connection-less Lightweight Directory Access Protocol (CLDAP) reflection attacks. CLDAP was intended as an "efficient alternative to LDAP queries done over Transmission Control Protocol (TCP).

Most of the attacks seen in the wild used CLDAP reflection exclusively. Twice, education has been the target. However, the primary victims have been in the software and technology industry, where 21 attacks have taken place, and the gaming segment, which has had 15 attacks.

The largest of the attacks hit its target with a peak bandwidth of 24 gigabits per second and a top count of packets per second of 2 million. The source port was 386, the port used by Lightweight Directory Access Protocol (LDAP).

According to the report, signatures of the attack suggest that it's "capable of impressive amplification." For example, Akamai security people obtained sample malicious LDAP reflection queries that had a payload of only 52 bytes. Yet the attack data payload was 3,662 bytes, meaning that the amplification factor was 73. More typically, the average amplification rate was 57, according to the researchers.

The attacks are launched using "attack scripts," usually written in C and with only slight variations from one vector to another. When the script is run, the target IP becomes the source of all the 52-byte query payloads. These are then sent rapidly to every server in the supplied reflector list. From there, the CLDAP servers do as they're designed and reply to the query. As a result, the report described, "the target of this attack must deal with a flood of unsolicited CLDAP responses."

The attack is "fueled" by the number of servers on the internet with port 389 open and listening. Once a server has been identified as a viable source, it's added to the list of reflectors. The best mitigation, suggested the report, is to filter the port in question. "Ingress filtering of the CLDAP port from the internet will prevent discovery and subsequent abuse of this service," the report noted. Another option is to apply rules, which won't stop the outbreak, but will alert system administers when an attempt is made to use the systems as part of a reflection attack.

The report, "CLDAP Reflection DDoS" is available from Akamai's dropbox account here.