(Source – Shutterstock)

Attackers are using CLDAP to amplify DDoS attacks up to 70 times

  • The Q3 DDoS report from Lumen Technologies describes attack trends, including the growing number of CLDAP reflectors.
  • CLDAP has a 56–70 times bandwidth amplification factor.

The only consistency with the threat landscape is that it’s inconsistent. The security industry has warned about the sophistication of DDoS attacks prepared by attackers for years.

Businesses must be ready to endure DDoS attacks, especially reflective DDoS attacks. Further, but businesses also need to be aware of any potential weaknesses in their defenses that might allow them to become an unsuspecting participant.

A pair of study publications from Black Lotus Labs, a security research division of Lumen Technologies, indicate how attackers have been abusing the CLDAP protocol in Microsoft environments.

What is CLDAP?

CLDAP stands for Connectionless Lightweight Directory Access Protocol. An IP network can use the industry-standard LDAP protocol to communicate with a directory service. An organization has directory information, including usernames, passwords, email addresses, and employee names, which must be kept somewhere. Business applications can query user data via LDAP.

The “C” in CLDAP stands for “connectionless,” and it refers to the fact that information requests are made using UDP, a best-effort protocol that, unlike TCP, does not require connection confirmation before sending or receiving data.

What makes this attack strategy so successful for attackers?

CLDAP has a bandwidth amplification factor of 56 to 70 times the original request, making it a desirable reflection vector. Almost all the mirrored CLDAP traffic during the May 2021 DDoS attack on Belnet, one of the ISPs for the Belgian government, was CLDAP.

Russian-aligned Killnet hacktivist group has been using CLDAP reflection and other DDoS attack methods against its targets. Furthermore, according to a recent study by Black Lotus Labs, the number of CLDAP reflectors accessible online has grown by more than 60% in the last year.

It is concerning that CLDAP is still prevalent and capable of producing significant, damaging attacks, says Mark Dehus, director of threat intelligence for Lumen Black Lotus Labs, especially considering the well-established best practices for prevention.

“Organizations running Active Directory should understand the risks of publicly exposing CLDAP, and we strongly recommend they restrict access to only the hosts and networks that need access,” he added.

Attackers continuing to launch DDoS attacks

Black Lotus Labs is still monitoring and analyzing vulnerable CLDAP reflectors and incorporating the information into the Lumen Connected Security portfolio. Along with stopping long-lived CLDAP reflector traffic from travelling over the Lumen global backbone, the team is stepping up its efforts to alert legitimate, third-party hosts of CLDAP reflection activity.

Key findings from the Lumen Q3 2022 DDoS report:

  • The highest bandwidth attack cleaned by Lumen was 493 Gbps, and the company mitigated 5,547 attacks in Q3, a 21% increase over Q2. The largest mitigation in Q2—which was also Lumen’s largest to date at 06 Tbps—was almost half the scale of this.
  • Despite accounting for only 3% of mitigations, Session Initiation Protocol (SIP) attacks, which target VoIP infrastructure, continue to be of interest due to a sharp increase in the past year. This quarter’s growth over Q2 was 59%.
  • The top five businesses targeted were telecommunications, gaming, software and technology, government and finance.
  • Nearly 40% of the 5,500+ attempts that Lumen stopped in Q3 were directed at just one government customer. The customer didn’t notice any outage despite the barrage and a focused effort around July 4.

The combined research from Black Lotus Labs and the Lumen DDoS mitigation software, according to Peter Brecl, head of security product management for Lumen, emphasizes a crucial truth for businesses today. Attacks have become more sophisticated, and cybercriminals are constantly looking for new ways to accomplish their goals.

“This means organizations need to consider a holistic security solution that includes DDoS mitigation to protect the availability of infrastructure and applications, Web Application and API Protection (WAAP) to protect against application-layer attacks, and bot management services to protect from malicious or unwanted bots. As organizations navigate through their digital transformation, this type of multi-layered approach is more important than ever,” explained Brecl.