Number of CLDAP Reflectors Shot Up by 60% in 2022, Amplifying DDoS Risks
According to Black Lotus Labs, thousands of misconfigured CLDAP instances are enabling a surge in reflection attacks.
Recent findings indicate that reflection attacks, wherein vulnerable Microsoft servers are exploited to overwhelm websites with network traffic resulting in a distributed denial of service (DDoS) attack, are on the rise. According to Black Lotus Labs at Lumen, thousands of misconfigured Connectionless Lightweight Directory Access Protocol (CLDAP) instances are enabling these attacks.
Lumen Technologies’ threat intelligence arm Black Lotus Labs, discovered almost 12,000 misconfigured servers with CLDAP (Microsoft’s iteration of LDAP), 60% more than in 2021. Threat actors exploit these vulnerable CLDAP servers that act as reflectors to carry out DDoS attacks.
A reflector is a vulnerable third-party server that threat actors can trick into bombarding a target website with heavy traffic, resulting in a DDoS attack. Meanwhile, CLDAP is a protocol used to access, retrieve and maintain user and system data (such as usernames, passwords, email addresses, etc.) to and from Microsoft Active Directory.
The primary difference between CLDAP and LDAP is that the former leverages User Datagram Protocol (UDP), which is vulnerable to being used for reflection if connected over the open internet. UDP is safe when not internet-facing.
“Despite the industry’s firm understanding of the mechanics of UDP reflection, as well as the fact that most of these UDP services vulnerable to reflection are accidental configurations, we continue to find plenty of vulnerable services out there, ready and waiting to generate a voluminous stream of junk traffic directed at a DDoS target of choice,” Lumen noted.
CLDAP Reflectors as of October 2022 (Source: Black Lotus Labs)
As the chart indicates, almost 85% of the 12,142 reflectors emerged in the past 12 months after a period of decline between 2017-2020. “After their discovery, the total count of open CLDAP reflectors dropped, likely due to the awareness brought by media attention. However, the spike in DDoS that occurred during the beginning of the pandemic in 2020 brought with it a return of CLDAP reflection,” Lumen explained.
See More: GitHub High-Severity Vulnerability Exposed 10,000 Packages to RepoJacking
Some of the more prominent CLDAP reflectors that Lumen discovered belonged to an unnamed religious organization, a North America-based retail business, and a telecom provider in the same region. To understand the intensity, reflectors belonging to just the religious organizations generated a DDoS incident of as much as 17 Gbps.
A 17 Gbps DDoS attack may not be as fear-inducing though it is “perhaps strong enough to DoS some less well-provisioned servers all by itself. In theory, a hundred of these, working in unison, could generate a Terabit per second of attack traffic,” Lumen explained.
A simple workaround to thwarting CLDAP reflector-based DDoS attacks is to pull them offline from the open internet and leave them online only if absolutely necessary. For those CLDAP instances that need to stay online, Lumen recommended the following:
- Disable UDP: On versions of MS Server supporting LDAP ping on the TCP LDAP service, turn off the UDP service and access LDAP ping via TCP.
- Apply rate limiters: If the Microsoft Server version doesn’t support LDAP ping on TCP, rate limit the traffic generated by the 389/UDP service to prevent use in DDoS.
- Firewall: If the Microsoft Server version doesn’t support LDAP ping on TCP, firewall access to the port so that only your legitimate clients can reach the service.
Lumen also suggested the implementation of network defenders, such as Reverse Path Forwarding (RPF), to prevent IP traffic spoofing.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock
MORE ON CYBER THREATS
