Corero's SecureWatch Research Team has discovered a new distributed denial of service (DDoS) Reflection/Amplification attack vector that leverages Connectionless Lightweight Directory Access Protocol (CLDAP UDP:389). Within our customer base during the past week there were three potentially devastating events, with a peak saturation of 70Gbps and a peak amplification factor of 55X.
Thankfully for our customers, these zero-day events were fully auto-mitigated by the SmartWall® DDoS Defense System Smart-Rule. No human intervention was necessary in mitigating this previously unknown DDoS attack vector.
We are wondering if anyone else is seeing this in the wild now, and we’re curious if anyone has a rational justification for leaving port 389 open on a firewall. A cursory look at available scan data suggests more than 100,000 instances openly reachable on the Internet. I suspect this is just poor hygiene, but would be interested in other opinions.
Below is a screenshot of one of the attacks, as captured by our SecureWatch Analytics software:
Incidentally, the above DDoS attack resulted in total saturation of three 10G links for the duration of the attack, so the actual peak saturation was somewhat higher than 70Gbps. This is further proof that link saturation does not necessarily mean disaster, because our customer reported no outage or complaints.
For more information, read our press release here.