When good technology goes bad: CLDAP DDoS attacks

In 1863 a German chemist named Joseph WIlbrand prepared a chemical compound called trinitrotoluene because he needed a yellow dye. There isn’t much written in the history books about how effective it actually was as a dye. Instead, people tend to focus on some of its other capabilities, and they tend to call it by its shortened name: TNT.

In the right hands (or should that be wrong hands?), many decent inventions and technologies can be turned into a weapon. That’s exactly how it’s gone for CLDAP, a protocol meant to make the internet run more smoothly that’s now doubling as one of the newest vectors in DDoS attacks.

The acronyms

DDoS attacks are distributed denial of service attacks, a type of attack that takes aim at a website or online service and either slows it down so much that it’s hard or impossible to use, or takes it offline altogether. It does so using a botnet, a collection of internet-connected devices that have been infected by malware that allows attackers to control them remotely to direct malicious traffic at the target to overwhelm the server or other network infrastructure.

CLDAP stands for connectionless lightweight directory access protocol, and it’s a protocol that connects to, searches and modifies internet directories. It is specifically a frequently used protocol for accessing passwords and usernames in databases such as Active Directory, a Microsoft directory service developed for Windows domain networks. Active Directory is integrated in many online servers. However, when it is improperly configured, CLDAP is left exposed to the internet, which leaves it exposed to attackers looking for something to leverage in DDoS attacks.

Anatomy of an attack

A CLDAP DDoS attack is a reflection attack, which is one that uses a legitimate third party to inadvertently send attack traffic or data to the victim. In this case the attacker would direct the devices in a botnet to spoof the IP address of the target, making it appear as though each device in the botnet is the target. Masquerading as the target, the devices then request a list of all users registered in the Active Directory from the vulnerable CLDAP service – the legitimate third party in this reflection attack. Since the request seems like a legitimate one, the CLDAP service replies, sending this large amount of data to the target. The actual target, not the devices with the spoofed IP addresses.

These attacks have an amplification factor of about 70. This means that every request sent to the CLDAP service results in a reply about 70 times the size of the original request. With an amplification attack, a small botnet can result in a very big attack.

The big picture

There’s an entire class of distributed denial of service attacks called protocol attacks that occur because attackers are able to take advantage of vulnerabilities in very legitimate and very useful internet protocols. CLDAP attacks join a list that includes UDP floods, SYN floods, Ping of Death attacks, NTP amplification and fragmented packet attacks, among others.

For DDoS attackers, opportunity can seemingly be found anywhere and everywhere. Protocol attacks are especially attractive to crafty attackers because they’re difficult to defend against since these protocols are necessary for the internet to run correctly and it isn’t possible to simply block traffic or packets related to any of the protocols being leveraged for attacks.

If it isn’t a massive Internet of Things (IoT) botnet blasting websites with record-setting amounts of malicious traffic it’s a small botnet taking advantage of a protocol to launch an amplification attack, and if it isn’t either of those things it’s a run of the mill botnet being rented for DDoS for hire services. These attacks are coming from everywhere and using all kinds of strategies to hit various targets.

With nearly every website on the internet a potential target thanks to industry competition, corporate revenge, the lure of social media infamy for script kiddies and even basic extortion attempts from someone looking to make some fast cash, it’s never been this imperative to have professional DDoS protection. Going without it is just asking for disaster which will come in the form of angry users, diminished loyalty, lost traffic and revenue and possibly even hardware and software damage or data theft from intrusions. That isn’t even mentioning the cost of dealing with an unmitigated attack.

Unfortunate appropriation

CLDAP and other protocols being used for DDoS attacks isn’t exactly on the level of a soybean herbicide being turned into Agent Orange or the newly-invented megaphone being adopted by Hitler’s minister of propaganda, but it is yet another example of what should be a good thing used for something that is decidedly not good. Do the people who worked so hard to develop the protocol a favor by protecting against DDoS attacks and allowing those useful protocols to be nothing more than useful protocols.

 

Image typographyimages pixabay