Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC: Akamai reports UDP DDOS Using C-LDAP reaching 24Gbps SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Akamai reports UDP DDOS Using C-LDAP reaching 24Gbps

Akamai researchers Jose Arteaga & Wilber Mejia  have posted details on a new reflected DDOS apprach, using the Connectionless LDAP protocol (on udp/389).

Reflected UDP attacks aren't new, but using CLDAP seems to be.  Which made me wonder who are the folks that decided that their AD (or other LDAP directory) should be put on the internet without at least putting a certificate on it.  Then I clued in - many SIP implementations use unsecured LDAP for authentication, authorization and for a directory.  Shodan lists 12,718 (as of today) sites with udp/389 open - and yes, many of them answer as SIP directories.

The reflection part of the attack is likely a directory list from the root, or even  a "tell me about yourself" query against the root would work nicely (that'd be my attack approach anyway)

And apparently some subset of 12,718 sites can total up to a maximum (so far) of 24Gbps of reflected DDOS traffic - 3Gbps being the average seen to date.  Akamai reports 7,629 sites were used, and they also report many more vulnerable sites than Shodan does.

Mitigation?  The report offers a mix of "don't do that" as advice, with a Snort signature to kill the reflection attack.  Unfortunately, the Snort signature needs to be applied at the vulnerable site - to which my question is "what are the odds that an organization that's posted LDAP on udp/389 open to the internet has an instance of Snort running?"  As is the case in so many DDOS situations, the hosts that are the source of the problem never see the problem, they're not the victims.  So it's unlikely that we'll see this fixed anytime soon.

The full Akamai report can be found here:

Rob VandenBrink

Rob VandenBrink

559 Posts
ISC Handler
Jan 1st 1970
FYI, shadowserver has reported connectionless ldap to network owners and national CERTS since november 2016.

73300 vulnerable hosts from what we are seeing in the last scan.
Cool, thanks for the info.

LDAP that isn't properly secured has always been a problem as long as there has been LDAP - what we're seeing happen now is rather than trying to compromise LDAP, attackers are using it to reflect volumetric DDOS attacks. November 2016 sounds about right, attackers would have been looking for the next "post Mirai" DDOS approach about then - with more and more practical (and more widespread) use of those platforms as time goes on
Rob VandenBrink

559 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!