Akamai researchers Jose Arteaga Wilber Mejia have posted details on a new reflected DDOS apprach, using the Connectionless LDAP protocol (on udp/389).
Reflected UDP attacks arent new, but using CLDAP seems to be. Which made me wonder who are the folks that decided that their AD (or other LDAP directory) should be put on the internet without at least putting a certificate on it. Then I clued in – many SIP implementations use unsecured LDAP for authentication, authorization and for a directory. Shodan lists 12,718 (as of today) sites with udp/389 open – and yes, many of them answer as SIP directories.
The reflection part of the attack is likely a directory list from the root, or even a tell me about yourself query against the root would work nicely (thatd be my attack approach anyway)
And apparently some subset of 12,718 sites can total up to a maximum (so far) of 24Gbps of reflected DDOS traffic – 3Gbps being the average seen to date. Akamai reports 7,629 sites were used, and they also report many more vulnerable sites than Shodan does.
Mitigation? The report offers a mix of dont do that as advice, with a Snort signature to kill the reflection attack. Unfortunately, the Snort signature needs to be applied at the vulnerable site – to which my question is what are the odds that an organization thats posted LDAP on udp/389 open to the internet has an instance of Snort running? As is the case in so many DDOS situations, the hosts that are the source of the problem never see the problem, theyre not the victims. So its unlikely that well see this fixed anytime soon.
The full Akamai report can be found here: https://www.akamai.com/us/en/about/our-thinking/threat-advisories/connection-less-lightweight-directory-access-protocol-reflection-ddos-threat-advisory.jsp
https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf
===============
Rob VandenBrink
Compugen
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.