New LDAP Attack Magnifies Malicious Traffic, Fuels IoT Worries
- Share New LDAP Attack Magnifies Malicious Traffic, Fuels IoT Worries on Twitter Share New LDAP Attack Magnifies Malicious Traffic, Fuels IoT Worries on Facebook Share New LDAP Attack Magnifies Malicious Traffic, Fuels IoT Worries on LinkedIn
- Home > News > New LDAP Attack Magnifies Malicious Traffic, Fuels IoT Worries
- Security firm Corero recently observed an LDAP attack that enabled cybercriminals to significantly amplify malicious distributed denial-of-service (DDoS) traffic and easily take down websites.
- Corero observed three attacks with an average amplification of 46 times, reaching 55 times at peak.
- Many companies are at risk of an LDAP attack but don’t realize it.
An LDAP attack, combined with an IoT-based campaign, has the potential to wipe out web services instantaneously with massive volumes of DDoS traffic.
@IBMSecurity: New LDAP attack magnifies malicious traffic, fuels #IoT worries: #infosec
Lightweight directory access protocol (LDAP) functions as a kind of internal search solution, helping companies find everything from contact information to encryption certificates and network services. As noted by SC Magazine, however, it’s also a serious threat vector.
Security firm Corero recently observed an LDAP attack that enabled cybercriminals to significantly amplify malicious distributed denial-of-service (DDoS) traffic and easily take down websites. Even worse, experts warned that, combined with an Internet of Things (IoT)-based effort, these attacks could reach “unprecedented bandwidth levels.” Here’s the lowdown on LDAP.
Many companies are at risk of an LDAP attack but don’t realize it. Firewalls are often configured to leave port 389 open, allowing connectionless LDAP-based data communication. An attacker can query these protocol servers using a spoofed IP address, which sends a massive response to the intended target.
Corero observed three attacks with an average amplification of 46 times, reaching 55 times at peak. This yields a bandwidth range of 22 to 28 Gbps, much more than any network can reasonably handle.
This isn’t the first time LDAP issues have emerged. As noted by The Register, a flaw discovered in Cisco Prime made it possible for attackers to bypass authentication requirements and gain full admin access.
And, as Dark Reading pointed out, LDAP is only the most recent protocol to be exploited. According to Dave Larson of Corero, “novel amplification attacks like this occur because there are so many open services on the internet that will respond to spoofed queries.”
In addition to the more reasonable throughput of LDAP attacks, Corero also observed one that reached 70 Gpbs — a rate impossible to achieve with a single LDAP server. Experts suspect the effort required at least a small botnet to make high-volume queries of multiple LDAP servers and send them all to the same target.
The bigger worry here is that, combined with IoT-based threats, lightweight directory attacks could set new benchmarks for DDoS power. In fact, the framework already exists.
The BBC reported that home webcams and other connected consumer devices were recently leveraged to take down huge websites like Twitter, Reddit and Spotify. Add LDAP amplification into the mix, and DDoS attacks could reach traffic volumes substantial enough to wipe out web services almost instantaneously.
The solution to this problem comes in two parts: First, companies need to check their firewall settings and make sure port 389 is never left open. If attackers can’t connect to LDAP servers, they can’t spoof or amplify traffic.
The other part of this puzzle relies on device manufacturers changing the way they do business — no more hardcoded passwords and no ability to leave default passwords in place once devices are activated. Businesses must also stop leaving passwords unchanged for months or allowing IoT devices unfettered network access.
LDAP attacks won’t be the last protocol-based DDoS to threaten corporate networks, but they do offer a worrisome glimpse of the future threat landscape. In the absence of private ports and secure IoT, DDoS is king.
A freelance writer for three years, Doug Bonderud is a Western Canadian with expertise in the fields of technology and innovation. In addition to working for the IBM Midsize Insider, The Content Standard and Proteomics programs for Skyword, Doug also writes for companies like Ephricon Web Marketing and sites such as MSDynamicsWorld. Clients are impressed with not only his command of language but the minimal need for editing necessary in his pieces. His ability to create readable, relatable articles from diverse Web content is second to none. He has also written a weekly column for TORWars, a videogaming website; posts about invention and design for InventorSpot.com and general knowledge articles for WiseGeek. From 2010-2012, Doug did copywriting for eCopywriters.com. Doug is currently a municipal police officer, on track to become a fantasy/sci-fi author.