Modern DDoS attacks seek fewer hosts, yet impale large network servers

Modern DDoS attacks seek fewer hosts, yet impale large network servers

Modern DDoS attacks seek fewer hosts, yet impale large network servers

Content delivery network Akamai Technologies has revealed that technology companies, educational institutions and gaming companies have been targeted by as many as 50 potent DDoS attacks using Connection-less Lightweight Directory Access Protocol (CLDAP) reflection.

Akamai Technologies believes that most targeted entities carry peak bandwidth in excess of 1Gbps and use source port 389 for which there isn’t enough ingress filtering.

While the report from Akamai Technologies could turn out to be too strong for laymen because of its technical content, what it implies is that today’s DDoS attacks can prove highly damaging despite attackers not targeting too many hosts. Basically, the hackers in question target port 389 for which proper ingress filtering isn’t in place in many organisations, and it serves to amplify smaller attacks into big ones.

For instance, Akamai observed that in one such case, a LDAP reflection query was only 52 bytes, but the Base Amplification Factor was as much as 70x, revealing that a bug as big as 52 bytes could create a data payload of 3,662 bytes. The average amplification was found to be a worrying 56.89x. Out of a sample of 50 such attacks, the average bandwidth of those being attacked was around 3Gbps.

“When executed, the target IP becomes the source of all of the 52 byte query payloads. These are then sent rapidly to every server in the supplied reflector list. From there, the CLDAP servers do as they are designed and reply to the query. As a result, the target of this attack must deal with a flood of unsolicited CLDAP responses,” the report said.

To gauge the true extent of the problem, Akamai conducted an internet-wide scan which revealed as many as 78,531 unique hosts which could be used to conduct DDoS attacks. The average amplification factor was found to be 51.8x for all these hosts. Of these, 3,495 were found to be located in the UK.

Akamai believes that ingress filtering of Port 389 by ISPs and companies from the internet will prevent hackers from discovering them and launching amplified DDoS attacks. The firm also observed that companies shouldn’t use CLDAP protocol unless there is a legitimate need for it, and if they do, they must implement external audits of the protocol to keep it secure.

Between October 14, 2016 and January 13 of this year, Akamai Technologies mitigated as many as 50 amplified DDoS attacks which took the CLDAP route. Of these, 21 were technology companies, 15 were gaming companies and some of the rest of them were educational institutions. The firm thinks that since the total number of CLDAP hosts are not too many, the overall impact hasn’t been too grave so far. However, if a hacker were to include CLDAP into a full attack script and integrate them to the booter/stresser infrastructure, the final attack could turn out to be very expensive for affected companies and institutions.

While it is not known how much CLDAP vulnerabilities contributed to it, but back in 2015, Akamai reported that DDoS attacks in the third quarter of the year rose by 23%, turning out to be the highest ever. The most affected among all were online gamers, followed by software and technology firms. Alarmingly, DDoS attacks in the UK constituted 25.6 per cent of all DDoS attacks globally.

Copyright Lyonsdown Limited 2021

Top Articles

Double trouble: the rising threat of double-extortion ransomware

Ransomware attackers continue to threaten businesses at an increasing scale, speed and sophistication.

The blurring line between nation-state and cyber-criminals

Russia is widely known to be involved in a plethora of cyber-criminal activity.

XDR: Delivering value where SIEMs fail

Implementing an XDR solution means faster detection, and remediation of cyber incidents

Related Articles

[s2Member-Login login_redirect=”” /]